From 27c314b4e55f792383d3fae076756d6adf94d939 Mon Sep 17 00:00:00 2001 From: Jeongmo Yang Date: Tue, 11 Jul 2017 10:45:21 +0900 Subject: [PATCH] Fix security issue - buffer overflow [Version] 0.10.125 [Profile] Common [Issue Type] Security issue [Issue#] SATIZENVUL-916 [Dependency module] N/A [Test] [M(T) - Boot=(OK), sdb=(OK), Home=(OK), Touch=(OK), Version=tizen-unified_20170704.3] Change-Id: Ida060c371fac6a6366b5160ed3862799d4fec564 Signed-off-by: Jeongmo Yang --- packaging/libmm-camcorder.spec | 2 +- src/mm_camcorder_util.c | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/packaging/libmm-camcorder.spec b/packaging/libmm-camcorder.spec index 30121e5..21a6735 100644 --- a/packaging/libmm-camcorder.spec +++ b/packaging/libmm-camcorder.spec @@ -1,6 +1,6 @@ Name: libmm-camcorder Summary: Camera and recorder library -Version: 0.10.124 +Version: 0.10.125 Release: 0 Group: Multimedia/Libraries License: Apache-2.0 diff --git a/src/mm_camcorder_util.c b/src/mm_camcorder_util.c index cfcaa2d..77f3a43 100644 --- a/src/mm_camcorder_util.c +++ b/src/mm_camcorder_util.c @@ -46,6 +46,8 @@ -----------------------------------------------------------------------*/ #define TIME_STRING_MAX_LEN 64 #define __MMCAMCORDER_CAPTURE_WAIT_TIMEOUT 5 +#define __MMCAMCORDER_MAX_WIDTH 8192 +#define __MMCAMCORDER_MAX_HEIGHT 8192 #define FPUTC_CHECK(x_char, x_file) \ { \ @@ -2239,6 +2241,12 @@ static gboolean _mmcamcorder_convert_NV12_to_I420(unsigned char *src, guint widt return FALSE; } + /* buffer overflow prevention check */ + if (width > __MMCAMCORDER_MAX_WIDTH || height > __MMCAMCORDER_MAX_HEIGHT) { + _mmcam_dbg_err("too large size %d x %d", width, height); + return FALSE; + } + dst_size = (width * height * 3) >> 1; _mmcam_dbg_log("NV12 -> I420 : %dx%d, dst size %d", width, height, dst_size); -- 2.34.1