From: hjkim <backto.kim@samsung.com>
Date: Tue, 14 Jan 2025 06:24:56 +0000 (+0900)
Subject: Check error to prevent infinite loop
X-Git-Tag: accepted/tizen/unified/20250123.054008~4
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F03%2F318203%2F8;p=platform%2Fcore%2Fmultimedia%2Flibmm-utility.git

Check error to prevent infinite loop

[Issue]
  A crash occurred in while loop. Fix Fuzzing issue.

Change-Id: If1da0937431454079f09d11456e28d5ce676933f
---

diff --git a/jpeg/mm_util_jpeg.c b/jpeg/mm_util_jpeg.c
index 7e91378..a963f97 100644
--- a/jpeg/mm_util_jpeg.c
+++ b/jpeg/mm_util_jpeg.c
@@ -448,6 +448,12 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE
 		int y = 0;
 		while (dinfo.output_scanline < dinfo.output_height) {
 			jpeg_read_scanlines(&dinfo, buffer, 1);
+			if (dinfo.err->msg_code != 0) {
+				mm_util_error("jpeg_read_scanlines failed");
+				ret = MM_UTIL_ERROR_INVALID_OPERATION;
+				goto END;
+			}
+
 			for (i = 0; i < row_stride; i += 3) {
 				image[i/3] = row[i];
 				if (i & 1) {
@@ -466,6 +472,11 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE
 		while (dinfo.output_scanline < dinfo.output_height) {
 			/* jpeg_read_scanlines expects an array of pointers to scanlines. Here the array is only one element long, but you could ask formore than one scanline at a time if that's more convenient. */
 			jpeg_read_scanlines(&dinfo, buffer, 1);
+			if (dinfo.err->msg_code != 0) {
+				mm_util_error("jpeg_read_scanlines failed");
+				ret = MM_UTIL_ERROR_INVALID_OPERATION;
+				goto END;
+			}
 
 			memcpy(image_buffer + state, buffer[0], row_stride);
 			state += row_stride;
@@ -474,9 +485,10 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE
 	}
 
 	ret = mm_image_create_image(dinfo.output_width, dinfo.output_height, color_format, image_buffer, image_buffer_size, decoded);
-	g_free(image_buffer);
 
 END:
+	g_free(image_buffer);
+
 	/* Finish decompression */
 	jpeg_finish_decompress(&dinfo);
 	mm_util_debug("jpeg_finish_decompress");