From 4a5a45cbd713614071cdf049704c2e5c40b701d6 Mon Sep 17 00:00:00 2001 From: "jiyong.min" Date: Mon, 20 Jan 2020 14:34:34 +0900 Subject: [PATCH] Fix coverity issue - Use after free (USE_AFTER_FREE) Returns after free '_dst' - Use macro(g_list_next) and add to check return value in loop Change-Id: Ie08c5fd02a4ad3c80d7d2c054c2ac34cccb3777a --- src/media_controller_client.c | 4 ++-- src/media_controller_metadata.c | 14 +++++++++----- src/media_controller_playlist.c | 2 +- svc/media_controller_svc.c | 4 ++-- test/server_test/media_controller_server_test.c | 2 +- 5 files changed, 15 insertions(+), 11 deletions(-) diff --git a/src/media_controller_client.c b/src/media_controller_client.c index fe9d03c..cc6c134 100644 --- a/src/media_controller_client.c +++ b/src/media_controller_client.c @@ -590,7 +590,7 @@ static int __mc_client_unregister_filter_listener(media_controller_client_s *mc_ mc_debug("filter[%s.%s] is unregistered. Remaining filters: [%d]", server_name, signal_name, g_list_length(*filter_list)); } else { /* Unregister all filters */ - for (iter = *filter_list; iter; iter = iter->next) { + for (iter = *filter_list; iter; iter = g_list_next(iter)) { mc_debug("filter[%s.%s]", (char *)(iter->data), signal_name); ret = _mc_ipc_unregister_filter_listener(&mc_client->listeners, (char *)(iter->data), signal_name); @@ -980,7 +980,7 @@ int mc_client_foreach_server_subscribed(mc_client_h client, const mc_subscriptio mc_retvm_if(!mc_client->updated_cb[subscription_type].filter_list, MEDIA_CONTROLLER_ERROR_NONE, "No filter list for the subscription_type [%d]", subscription_type); - for (iter = mc_client->updated_cb[subscription_type].filter_list; iter; iter = iter->next) { + for (iter = mc_client->updated_cb[subscription_type].filter_list; iter; iter = g_list_next(iter)) { if (!MC_STRING_VALID(iter->data)) continue; if (!callback(iter->data, user_data)) diff --git a/src/media_controller_metadata.c b/src/media_controller_metadata.c index 826010f..9196790 100644 --- a/src/media_controller_metadata.c +++ b/src/media_controller_metadata.c @@ -393,7 +393,7 @@ int mc_search_foreach_condition(mc_search_h search, mc_search_condition_cb callb mc_debug("mc_search_foreach_condition length [%d]", g_list_length(mc_search->search_list)); - for (iter = mc_search->search_list; iter; iter = iter->next) { + for (iter = mc_search->search_list; iter; iter = g_list_next(iter)) { search_item = (mc_search_item_s*)iter->data; if (!search_item) continue; @@ -418,16 +418,20 @@ int mc_search_clone(mc_search_h src, mc_search_h *dst) ret = mc_search_create(&_dst); mc_retvm_if(ret != MEDIA_CONTROLLER_ERROR_NONE, ret, "fail to mc_search_create()"); - for (iter = _src->search_list; iter; iter = iter->next) { + for (iter = _src->search_list; iter; iter = g_list_next(iter)) { search_item = (mc_search_item_s*)iter->data; if (!search_item) { mc_error("Invalid item [%p]", iter->data); - ret = MEDIA_CONTROLLER_ERROR_INVALID_PARAMETER; mc_search_destroy(_dst); - break; + return MEDIA_CONTROLLER_ERROR_INVALID_PARAMETER; } - ret = mc_search_set_condition(_dst, search_item->content_type, search_item->category, search_item->search_keyword, search_item->data); + ret = mc_search_set_condition(_dst, search_item->content_type, search_item->category, search_item->search_keyword, search_item->data); + if (ret != MEDIA_CONTROLLER_ERROR_NONE) { + mc_error("mc_search_set_condition failed(%d).", ret); + mc_search_destroy(_dst); + return ret; + } } *dst = _dst; diff --git a/src/media_controller_playlist.c b/src/media_controller_playlist.c index c9b3735..3d53ee8 100644 --- a/src/media_controller_playlist.c +++ b/src/media_controller_playlist.c @@ -68,7 +68,7 @@ static int __get_bundle_data(GList *playlist, bundle_raw **bundle_data, int *bun bundle = bundle_create(); mc_retvm_if(!bundle, MEDIA_CONTROLLER_ERROR_INVALID_PARAMETER, "fail to bundle_create"); - for (iter = playlist; iter; iter = iter->next) { + for (iter = playlist; iter; iter = g_list_next(iter)) { item = (mc_playlist_item_s*)iter->data; if (!item || !item->index || !item->metadata) { diff --git a/svc/media_controller_svc.c b/svc/media_controller_svc.c index 024277b..5b7a383 100644 --- a/svc/media_controller_svc.c +++ b/svc/media_controller_svc.c @@ -156,7 +156,7 @@ static void __mc_remove_cmd_to_send(gpointer data, gpointer user_data) mc_retm_if(!MC_STRING_VALID(_user_data->message->msg), "Invalid msg"); mc_retm_if(!_app_data->cmds_to_send, "Nothing to remove"); - for (iter = _app_data->cmds_to_send; iter; iter = iter->next) { + for (iter = _app_data->cmds_to_send; iter; iter = g_list_next(iter)) { if (!iter->data) continue; @@ -535,7 +535,7 @@ static int __mc_service_app_dead_handler(int pid, void *data) mc_retvm_if(!_service_data, AUL_R_ERROR, "data is null!"); mc_retvm_if(!_service_data->connected_apps, AUL_R_OK, "No connected application!"); - for (iter = _service_data->connected_apps; iter; iter = iter->next) { + for (iter = _service_data->connected_apps; iter; iter = g_list_next(iter)) { _app_data = (mc_app_data_set_t *)iter->data; if ((!_app_data) || (_app_data->pid != pid)) diff --git a/test/server_test/media_controller_server_test.c b/test/server_test/media_controller_server_test.c index c77d6fd..edaeb9f 100755 --- a/test/server_test/media_controller_server_test.c +++ b/test/server_test/media_controller_server_test.c @@ -455,7 +455,7 @@ static int __update_playlist(mc_server_h server, mc_playlist_update_mode_e mode) if (ret != MEDIA_CONTROLLER_ERROR_NONE) mc_error("Fail to mc_playlist_foreach_playlist [%d]", ret); - for (iter = playlist_list; iter; iter = iter->next) { + for (iter = playlist_list; iter; iter = g_list_next(iter)) { mc_playlist_h playlist = NULL; char *playlist_name = NULL; -- 2.7.4