From 66cb6ae17cdba1cb89881d55a498c7d4d8de521c Mon Sep 17 00:00:00 2001
From: Jiyong Min <jiyong.min@samsung.com>
Date: Mon, 11 Dec 2017 13:04:33 +0900
Subject: [PATCH] Add to check realpath before fopen

Change-Id: If29fb2f6e731625dd2b69fa3a8db404345bb3b72
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
---
 jpeg/mm_util_jpeg.c | 21 ++++++++++++++++++---
 png/mm_util_png.c   | 25 ++++++++++++++++++++++++-
 2 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/jpeg/mm_util_jpeg.c b/jpeg/mm_util_jpeg.c
index 9f3a271..9a7e028 100755
--- a/jpeg/mm_util_jpeg.c
+++ b/jpeg/mm_util_jpeg.c
@@ -454,6 +454,7 @@ static void __my_error_exit(j_common_ptr cinfo)
 static int __mm_image_encode_to_jpeg_file_with_libjpeg(const char *pFileName, void *rawdata, int width, int height, mm_util_jpeg_yuv_format fmt, int quality)
 {
 	int iErrorCode = MM_UTIL_ERROR_NONE;
+	char *realPATH = NULL;
 
 	struct jpeg_compress_struct cinfo;
 	struct jpeg_error_mgr jerr;
@@ -477,12 +478,26 @@ static int __mm_image_encode_to_jpeg_file_with_libjpeg(const char *pFileName, vo
 
 	jpeg_create_compress(&cinfo);
 
-	if ((fpWriter = fopen(pFileName, "wb")) == NULL) {
-		mm_util_error("[infile] file open [%s] failed", pFileName);
-		mm_util_stderror("file open failed");
+	realPATH = realpath(pFileName, NULL);
+	if (realPATH == NULL) {
+		mm_util_error("realpath failed");
+		return MM_UTIL_ERROR_NO_SUCH_FILE;
+	}
+	if (!strncmp(pFileName, realPATH, strlen(pFileName))) {
+		if ((fpWriter = fopen(pFileName, "wb")) == NULL) {
+			mm_util_error("[infile] file open [%s] failed", pFileName);
+			mm_util_stderror("file open failed");
+			MMUTIL_SAFE_FREE(realPATH);
+			return MM_UTIL_ERROR_NO_SUCH_FILE;
+		}
+	} else {
+		mm_util_error("[infile] file [%s] is symlink", pFileName);
+		MMUTIL_SAFE_FREE(realPATH);
 		return MM_UTIL_ERROR_NO_SUCH_FILE;
 	}
 
+	MMUTIL_SAFE_FREE(realPATH);
+
 	jpeg_stdio_dest(&cinfo, fpWriter);
 	cinfo.image_width = width;
 	cinfo.image_height = height;
diff --git a/png/mm_util_png.c b/png/mm_util_png.c
index 80cb8d3..9f08ca8 100755
--- a/png/mm_util_png.c
+++ b/png/mm_util_png.c
@@ -474,11 +474,34 @@ int write_png(void **data, mm_util_png_data *encoded, FILE *fp)
 int mm_util_encode_to_png_file(void **data, mm_util_png_data *encoded, const char *fpath)
 {
 	int ret = MM_UTIL_ERROR_NONE;
+	char *realPATH = NULL;
 	FILE *fp;
 
 	mm_util_debug("mm_util_encode_to_png");
-	if ((fp = fopen(fpath, "w")) == NULL)
+
+	if (fpath == NULL) {
+		mm_util_error("Invalid parameter");
+		return MM_UTIL_ERROR_NO_SUCH_FILE;
+	}
+
+	realPATH = realpath(fpath, NULL);
+	if (realPATH == NULL) {
+		mm_util_error("realpath failed");
+		return MM_UTIL_ERROR_NO_SUCH_FILE;
+	}
+
+	if (!strncmp(fpath, realPATH, strlen(fpath))) {
+		if ((fp = fopen(fpath, "w")) == NULL) {
+			mm_util_stderror("file open failed");
+			MMUTIL_SAFE_FREE(realPATH);
+			return MM_UTIL_ERROR_NO_SUCH_FILE;
+		}
+	} else {
+		mm_util_error("file is symbolic link");
+		MMUTIL_SAFE_FREE(realPATH);
 		return MM_UTIL_ERROR_NO_SUCH_FILE;
+	}
+	MMUTIL_SAFE_FREE(realPATH);
 
 	ret = write_png(data, encoded, fp);
 
-- 
2.34.1