From: Jiyong <jiyong.min@samsung.com>
Date: Mon, 24 Mar 2025 04:38:13 +0000 (+0900)
Subject: Add valid size checker to prevent overflow
X-Git-Tag: accepted/tizen/unified/20250326.130903^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Faccepted%2Ftizen_unified;p=platform%2Fcore%2Fmultimedia%2Flibmm-imgp-gstcs.git

Add valid size checker to prevent overflow

Change-Id: I7d01f2922ec76958f316c0fc67c0c1f9a46098e1
---

diff --git a/gstcs/mm_util_gstcs.c b/gstcs/mm_util_gstcs.c
index ca7eb81..4fbbcd7 100644
--- a/gstcs/mm_util_gstcs.c
+++ b/gstcs/mm_util_gstcs.c
@@ -27,7 +27,7 @@
 #define MM_UTIL_ROUND_UP_8(num) (((num)+7)&~7)
 
 #define SAFE_UNREF_CAPS(caps)	{ if (caps)	{ gst_caps_unref(caps); caps = NULL; } }
-
+#define MAX_RAW_IMG_SIZE	(512 * 1024 * 1024)
 
 static GstFlowReturn _mm_sink_sample(GstElement * appsink, gpointer user_data)
 {
@@ -87,7 +87,7 @@ static gboolean _mm_on_src_message(GstBus * bus, GstMessage * message, gpointer
 	return TRUE;
 }
 
-static int _mm_get_byte_per_pixcel(mm_util_color_format_e color_format)
+static unsigned int _mm_get_byte_per_pixcel(mm_util_color_format_e color_format)
 {
 	int byte_per_pixcel = 1;
 
@@ -391,7 +391,7 @@ static int _mm_push_buffer_into_pipeline_new(unsigned char *src, gstcs_data_s *
 
 	src_size = _mm_setup_image_size(color_format, stride, elevation);
 
-	int byte_per_pixcel = _mm_get_byte_per_pixcel(color_format);
+	unsigned int byte_per_pixcel = _mm_get_byte_per_pixcel(color_format);
 	unsigned int src_row = width * byte_per_pixcel;
 	unsigned int stride_row = stride * byte_per_pixcel;
 	unsigned int i = 0, y = 0;
@@ -632,7 +632,7 @@ static int _mm_imgp_gstcs(imgp_info_s* pImgp_info, unsigned char *src, unsigned
 	}
 
 	/* Do gstreamer processing */
-	ret = _mm_imgp_gstcs_processing(gstcs_data, src, dst, pImgp_info); /* input: buffer pointer for input image , input image format, input image width, input image height, output: buffer porinter for output image */
+	ret = _mm_imgp_gstcs_processing(gstcs_data, src, dst, pImgp_info);
 
 	if (ret == GSTCS_ERROR_NONE)
 		gstcs_debug("End _mm_imgp_gstcs_processing [dst: %p]", *dst);
@@ -652,9 +652,24 @@ static int _mm_imgp_gstcs(imgp_info_s* pImgp_info, unsigned char *src, unsigned
 static bool _mm_imgp_check_format(mm_util_color_format_e color_format)
 {
 	if ((color_format >= MM_UTIL_COLOR_YUV420) && (color_format <= MM_UTIL_COLOR_BGRX))
-		return TRUE;
+		return true;
+
+	return false;
+}
+
+static bool _mm_imgp_check_valid_size(mm_util_color_format_e color_format, unsigned int width, unsigned int height)
+{
+	unsigned int stride = 0, elevation = 0;
+	size_t image_size = 0;
+
+	_mm_get_round_up_width_height(color_format, width, height, &stride, &elevation);
+	image_size = _mm_setup_image_size(color_format, stride, elevation);
+
+    /* this limitation is same with mm_util_is_proper_image_size in libmm-utility */
+	if ((image_size > 0) && (image_size <= (size_t)(MAX_RAW_IMG_SIZE)))
+		return true;
 
-	return FALSE;
+	return false;
 }
 
 int mm_imgp(imgp_info_s* pImgp_info, unsigned char *src, unsigned char **dst)
@@ -662,8 +677,16 @@ int mm_imgp(imgp_info_s* pImgp_info, unsigned char *src, unsigned char **dst)
 	gstcs_retvm_if(pImgp_info == NULL, GSTCS_ERROR_INVALID_PARAMETER, "Invalid info");
 	gstcs_retvm_if(src == NULL, GSTCS_ERROR_INVALID_PARAMETER, "Invalid src");
 	gstcs_retvm_if(dst == NULL, GSTCS_ERROR_INVALID_PARAMETER, "Invalid dst");
-	gstcs_retvm_if((_mm_imgp_check_format(pImgp_info->src_format) == FALSE), GSTCS_ERROR_NOT_SUPPORTED_FORMAT, "not supported src_format [%d]", pImgp_info->src_format);
-	gstcs_retvm_if((_mm_imgp_check_format(pImgp_info->dst_format) == FALSE), GSTCS_ERROR_NOT_SUPPORTED_FORMAT, "not supported dst_format [%d]", pImgp_info->dst_format);
+	gstcs_retvm_if(!_mm_imgp_check_format(pImgp_info->src_format),
+			GSTCS_ERROR_NOT_SUPPORTED_FORMAT, "not supported src_format [%d]", pImgp_info->src_format);
+	gstcs_retvm_if(!_mm_imgp_check_format(pImgp_info->dst_format),
+			GSTCS_ERROR_NOT_SUPPORTED_FORMAT, "not supported dst_format [%d]", pImgp_info->dst_format);
+	gstcs_retvm_if(!_mm_imgp_check_valid_size(pImgp_info->src_format, pImgp_info->src_width, pImgp_info->src_height),
+			GSTCS_ERROR_INVALID_PARAMETER, "Invalid src_format [%d] src_width [%u], src->height [%u]",
+			pImgp_info->src_format, pImgp_info->src_width, pImgp_info->src_height);
+	gstcs_retvm_if(!_mm_imgp_check_valid_size(pImgp_info->dst_format, pImgp_info->dst_width, pImgp_info->dst_height),
+			GSTCS_ERROR_INVALID_PARAMETER, "Invalid  dst_format [%d] dst_width [%u], dst_height [%u]",
+			pImgp_info->dst_format, pImgp_info->dst_width, pImgp_info->dst_height);
 
 	gstcs_debug("[src %p] [dst %p]", src, dst);
 
diff --git a/packaging/libmm-imgp-gstcs.spec b/packaging/libmm-imgp-gstcs.spec
index a0b95e3..b9a5235 100644
--- a/packaging/libmm-imgp-gstcs.spec
+++ b/packaging/libmm-imgp-gstcs.spec
@@ -1,6 +1,6 @@
 Name:       libmm-imgp-gstcs
 Summary:    Multimedia Framework Utility Library
-Version:    1.0.0
+Version:    1.0.1
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0