From: Jiyong <jiyong.min@samsung.com>
Date: Thu, 11 Jul 2024 03:46:20 +0000 (+0900)
Subject: Bug fix. insecure strncmp
X-Git-Tag: accepted/tizen/unified/20240712.160041^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Faccepted%2Ftizen_9.0_unified;p=platform%2Fcore%2Fmultimedia%2Flibmm-utility.git

Bug fix. insecure strncmp

 - fix svace issue (LIB.INSECURE_STRNCMP)

The problem that such using checks only prefix of string because null-terminator is not checked.
It may be source of vulnarability when using for compariso passwords.
Correct pattern should use strlen(arg) + 1.

Change-Id: Ib66d43aac119b265c462b0ba35519caa3885d631
---

diff --git a/common/mm_util_private.c b/common/mm_util_private.c
index d44cdee..2f9eb42 100644
--- a/common/mm_util_private.c
+++ b/common/mm_util_private.c
@@ -46,7 +46,7 @@ int mm_util_safe_fopen(const char *path, const char *mode, FILE **fp)
 				mm_util_stderror("realpath failed");
 				return MM_UTIL_ERROR_NO_SUCH_FILE;
 			}
-			if (strncmp(path, _realpath, strlen(path))) {
+			if (strncmp(path, _realpath, strlen(path) + 1)) {
 				mm_util_error("file is symbolic link");
 				free(_realpath);
 				return MM_UTIL_ERROR_NO_SUCH_FILE;
diff --git a/packaging/libmm-utility.spec b/packaging/libmm-utility.spec
index 7958d9d..e0682b2 100644
--- a/packaging/libmm-utility.spec
+++ b/packaging/libmm-utility.spec
@@ -1,6 +1,6 @@
 Name:       libmm-utility
 Summary:    Multimedia Framework Utility Library
-Version:    0.4.24
+Version:    0.4.25
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0