From: Haesu Gwon Date: Thu, 29 Sep 2016 12:22:55 +0000 (+0900) Subject: Fix TSAM-7948 X-Git-Tag: accepted/tizen/3.0/ivi/20161011.053531^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F54%2F90354%2F2;p=platform%2Fcore%2Fapi%2Fcamera.git Fix TSAM-7948 Received message is at risk for corruption with previous message. So '\0' char is added at end of tokenized message. [Version] 0.2.76 [Profile] Common [Issue Type] Bug fix [Dependency module] N/A [Dependency commit] N/A [Test] [W(T) - Boot=(OK), sdb=(OK), Home=(OK), Touch=(OK), Version=tizen-wearable_20160929.1] Change-Id: Icca98962da0f955ce32c0acc660ccc40754510e2 Signed-off-by: Haesu Gwon --- diff --git a/include/camera_private.h b/include/camera_private.h index 8d84f75..7cbd9e1 100644 --- a/include/camera_private.h +++ b/include/camera_private.h @@ -34,7 +34,7 @@ extern "C" { #endif /* BUFFER_MAX_PLANE_NUM */ #define BUFFER_MAX_PLANE_NUM 4 -#define CAMERA_PARSE_STRING_SIZE 20 +#define CAMERA_PARSED_STRING_NUM_MAX 20 #define CAMERA_CB_TIMEOUT 5 #define CAMERA_CB_TIMEOUT_LONG 8 @@ -113,7 +113,7 @@ typedef struct _camera_cb_info_s { /* message receive thread */ GThread *msg_recv_thread; gint msg_recv_running; - gchar recv_msg[MUSE_CAMERA_MSG_MAX_LENGTH]; + gchar recv_msg[MUSE_CAMERA_MSG_MAX_LENGTH * CAMERA_PARSED_STRING_NUM_MAX]; GCond api_cond[MUSE_CAMERA_API_MAX]; GMutex api_mutex[MUSE_CAMERA_API_MAX]; gint api_activating[MUSE_CAMERA_API_MAX]; diff --git a/packaging/capi-media-camera.spec b/packaging/capi-media-camera.spec index 259c444..909ab32 100644 --- a/packaging/capi-media-camera.spec +++ b/packaging/capi-media-camera.spec @@ -1,6 +1,6 @@ Name: capi-media-camera Summary: A Camera API -Version: 0.2.75 +Version: 0.2.76 Release: 0 Group: Multimedia/API License: Apache-2.0 diff --git a/src/camera.c b/src/camera.c index f98d43b..d499594 100644 --- a/src/camera.c +++ b/src/camera.c @@ -1784,6 +1784,7 @@ static void *_camera_msg_recv_func(gpointer data) int num_token = 0; int str_pos = 0; int prev_pos = 0; + int msg_length = 0; char *error_msg = NULL; char *recv_msg = NULL; char **parse_str = NULL; @@ -1796,13 +1797,13 @@ static void *_camera_msg_recv_func(gpointer data) LOGD("start"); - parse_str = (char **)malloc(sizeof(char *) * CAMERA_PARSE_STRING_SIZE); + parse_str = (char **)malloc(sizeof(char *) * CAMERA_PARSED_STRING_NUM_MAX); if (parse_str == NULL) { LOGE("parse_str malloc failed"); return NULL; } - for (i = 0 ; i < CAMERA_PARSE_STRING_SIZE ; i++) { + for (i = 0 ; i < CAMERA_PARSED_STRING_NUM_MAX ; i++) { parse_str[i] = (char *)malloc(sizeof(char) * MUSE_CAMERA_MSG_MAX_LENGTH); if (parse_str[i] == NULL) { LOGE("parse_str[%d] malloc failed", i); @@ -1829,13 +1830,26 @@ static void *_camera_msg_recv_func(gpointer data) /*LOGD("recvMSg : %s, length : %d", recv_msg, ret);*/ /* Need to split the combined entering msgs. - This module supports up to 200 combined msgs. */ + This module supports up to 20 combined msgs. */ for (str_pos = 0; str_pos < ret; str_pos++) { if (recv_msg[str_pos] == '}') { - strncpy(parse_str[num_token], recv_msg + prev_pos, str_pos - prev_pos + 1); - /*LOGD("splitted msg : [%s], Index : %d", parse_str[num_token], num_token);*/ + msg_length = str_pos - prev_pos + 1; + + if (msg_length < MUSE_CAMERA_MSG_MAX_LENGTH) { + strncpy(parse_str[num_token], recv_msg + prev_pos, msg_length); + parse_str[num_token][msg_length] = '\0'; + num_token++; + /*LOGD("splitted msg : [%s], Index : %d", parse_str[num_token], num_token);*/ + } else { + LOGW("too long message : length %d [%s]", msg_length, recv_msg + prev_pos); + } + prev_pos = str_pos + 1; - num_token++; + + if (num_token >= CAMERA_PARSED_STRING_NUM_MAX) { + LOGE("There's too many tokens. Remained msg : %s", recv_msg[++str_pos]); + break; + } } } @@ -1843,7 +1857,7 @@ static void *_camera_msg_recv_func(gpointer data) /* Re-construct to the useful single msg. */ for (i = 0; i < num_token; i++) { - if (i >= CAMERA_PARSE_STRING_SIZE) { + if (i >= CAMERA_PARSED_STRING_NUM_MAX) { LOGE("invalid token index %d", i); break; } @@ -1942,7 +1956,7 @@ static void *_camera_msg_recv_func(gpointer data) CB_HANDLER_EXIT: if (parse_str) { - for (i = 0 ; i < CAMERA_PARSE_STRING_SIZE ; i++) { + for (i = 0 ; i < CAMERA_PARSED_STRING_NUM_MAX ; i++) { if (parse_str[i]) { free(parse_str[i]); parse_str[i] = NULL;