From: minje.ahn Date: Thu, 18 Aug 2022 05:08:41 +0000 (+0900) Subject: Fix heap-use-after-free in __remove_ogg_picture() X-Git-Tag: submit/tizen/20220818.080154^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_8.0;p=platform%2Fcore%2Fapi%2Fmetadata-editor.git Fix heap-use-after-free in __remove_ogg_picture() Fixed 'setAutoDelete' to 'false' so that pictureList is not freed while looking for picture. Change-Id: I68223bfd2c2ad59b4da033665e3e7cdd857d3fe1 Signed-off-by: minje.ahn --- diff --git a/src/metadata_editor.cpp b/src/metadata_editor.cpp index 79107b2..4bfb53e 100755 --- a/src/metadata_editor.cpp +++ b/src/metadata_editor.cpp @@ -174,18 +174,11 @@ static int __remove_APIC(ID3v2::Tag *tag, int index) static int __remove_ogg_picture(Ogg::XiphComment *xtag, int index) { ME_RETVM_IF(!xtag, METADATA_EDITOR_ERROR_INVALID_PARAMETER, "Invalid XiphComment"); - ME_RETV_IF(!__is_valid_index(xtag->pictureList(), index), METADATA_EDITOR_ERROR_INVALID_PARAMETER); - - /* xiphComment::removePicture works abnormally. Do not modify this fuction. - - Use xtag->pictureList()[index] : crashed - - Use copied xtag->pictureList()[index] : crashed - - Use iterator with std::next() : heap-use-after-free occured - */ - List::Iterator it = xtag->pictureList().begin(); - std::advance(it, index); + auto lst = xtag->pictureList(); + lst.setAutoDelete(false); + ME_RETV_IF(!__is_valid_index(lst, index), METADATA_EDITOR_ERROR_INVALID_PARAMETER); - /* No need to set it to 'true'. taglib sets auto-delete. */ - xtag->removePicture(*it, false); + xtag->removePicture(lst[index], true); return METADATA_EDITOR_ERROR_NONE; } @@ -296,7 +289,6 @@ public: auto lst = __file->pictureList(); ME_RETV_IF(!__is_valid_index(lst, index), METADATA_EDITOR_ERROR_INVALID_PARAMETER); - /* No need to set it to 'true'. taglib sets auto-delete. */ __file->removePicture(lst[index], false); return METADATA_EDITOR_ERROR_NONE; }