From: Jiyong Min Date: Fri, 22 Jun 2018 01:26:09 +0000 (+0900) Subject: Fix stack-buffer-overflow when the album-artwork is resized X-Git-Tag: accepted/tizen/4.0/unified/20180622.124721^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F67%2F182267%2F1;p=platform%2Fcore%2Fmultimedia%2Flibmedia-service.git Fix stack-buffer-overflow when the album-artwork is resized Change-Id: I056c0aef612ec483ed3e28cfaa6773c45c9aa50f --- diff --git a/packaging/libmedia-service.spec b/packaging/libmedia-service.spec index b146918..e7e93fa 100644 --- a/packaging/libmedia-service.spec +++ b/packaging/libmedia-service.spec @@ -1,6 +1,6 @@ Name: libmedia-service Summary: Media information service library for multimedia applications -Version: 0.3.21 +Version: 0.3.22 Release: 0 Group: Multimedia/Libraries License: Apache-2.0 and PD diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c index 26112f7..329ebbd 100755 --- a/src/common/media-svc-util.c +++ b/src/common/media-svc-util.c @@ -624,19 +624,20 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c { int ret = MS_MEDIA_ERR_NONE; unsigned char *raw_image = NULL; - int width = 0; - int height = 0; + unsigned long width = 0; + unsigned long height = 0; unsigned long long raw_size = 0; void *resized_raw_image = NULL; int resized_width = 0; int resized_height = 0; unsigned int buf_size = 0; image_util_colorspace_e colorspace = IMAGE_UTIL_COLORSPACE_RGB888; + unsigned long long resized_size = 0; if ((strstr(img_format, "jpeg") != NULL) || (strstr(img_format, "jpg") != NULL) || (strstr(img_format, "JPG") != NULL)) { media_svc_debug("type [jpeg] size [%d]", size); /* decoding */ - ret = __media_svc_decode_jpeg(image, (unsigned long long)size, colorspace, &raw_image, (unsigned long *)&width, (unsigned long *)&height, &raw_size); + ret = __media_svc_decode_jpeg(image, (unsigned long long)size, colorspace, &raw_image, &width, &height, &raw_size); if (ret != MS_MEDIA_ERR_NONE) { media_svc_error("__media_svc_decode_jpeg failed"); *resize_image = image; @@ -681,7 +682,7 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c memset(resized_raw_image, 0, buf_size); - ret = image_util_resize(resized_raw_image, &resized_width, &resized_height, raw_image, width, height, colorspace); + ret = image_util_resize(resized_raw_image, &resized_width, &resized_height, raw_image, (int)width, (int)height, colorspace); if (ret != MS_MEDIA_ERR_NONE) { media_svc_error("image_util_resize failed"); *resize_image = image; @@ -693,7 +694,7 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c SAFE_FREE(raw_image); /* encoding */ - ret = __media_svc_encode_jpeg((unsigned char *)resized_raw_image, (unsigned long)resized_width, (unsigned long)resized_height, colorspace, 90, resize_image, (unsigned long long *)resize_size); + ret = __media_svc_encode_jpeg((unsigned char *)resized_raw_image, (unsigned long)resized_width, (unsigned long)resized_height, colorspace, 90, resize_image, &resized_size); if (ret != MS_MEDIA_ERR_NONE) { media_svc_error("__media_svc_encode_jpeg failed"); *resize_image = image; @@ -709,6 +710,7 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c *resize_size = size; return MS_MEDIA_ERR_NONE; } + *resize_size = (unsigned int)resized_size; } else if ((strstr(img_format, "png") != NULL) || (strstr(img_format, "PNG") != NULL)) { media_svc_debug("type [png] size [%d]", size); *resize_image = image;