From db38c3378bc9a8c19035318c8ec0f7bde5710091 Mon Sep 17 00:00:00 2001
From: hj kim <backto.kim@samsung.com>
Date: Wed, 25 Mar 2020 09:28:10 +0900
Subject: [PATCH] Fix underflow issue.

Change-Id: Ie42cec442f8c57668b77d8d0682e556787e6c98e
---
 src/common/media-svc-util.c | 83 +++++++++++++++++++--------------------------
 1 file changed, 34 insertions(+), 49 deletions(-)

diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c
index faf616c..e3c8d3c 100644
--- a/src/common/media-svc-util.c
+++ b/src/common/media-svc-util.c
@@ -795,13 +795,12 @@ int image_360_check(char *path)
 	unsigned char exif_header[4] = {0, };
 	unsigned char exif_app1[2] = {0, };
 	unsigned char exif_app1_xmp[2] = {0, };
-	long exif_app1_xmp_size = 0;
+	gsize exif_app1_xmp_size = 0;
 	unsigned char exif_app1_xmp_t[2] = {0, };
 	char *xmp_data = NULL;
-	int size1 = 0;
-	int size2 = 0;
 	int fdata = 0;
 	int temp = 0;
+	int result = 0;
 
 	memset(exif_header, 0x00, sizeof(exif_header));
 	memset(exif_app1, 0x00, sizeof(exif_app1));
@@ -821,10 +820,7 @@ int image_360_check(char *path)
 		if (size <= 0)
 			goto ERROR;
 
-		size1 = exif_app1[0];
-		size2 = exif_app1[1];
-
-		app1_size = size1 * 256 + size2 - 2;
+		app1_size = (long)((exif_app1[0] << 8) | (exif_app1[1])) - 2 ;
 
 		if (fseek(fp, app1_size, SEEK_CUR) != 0)
 			goto ERROR;
@@ -834,64 +830,53 @@ int image_360_check(char *path)
 			goto ERROR;
 
 		if ((exif_app1_xmp[0] == 0xff) && (exif_app1_xmp[1] == 0xe1)) {
-			int result = 0;
 			char *ptr = NULL;
 			size = fread(exif_app1_xmp_t, 1, sizeof(exif_app1_xmp_t), fp);
 			if (size <= 0)
 				goto ERROR;
 
-			size1 = exif_app1_xmp_t[0];
-			size2 = exif_app1_xmp_t[1];
-
-			exif_app1_xmp_size = size1 * 256 + size2 - 2;
-
-			if (exif_app1_xmp_size > 0) {
-				xmp_data = (char *)malloc(exif_app1_xmp_size);
-				memset(xmp_data, 0x0, exif_app1_xmp_size);
-
-				ptr = xmp_data;
+			exif_app1_xmp_size = (long)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) - 2;
 
-				while (exif_app1_xmp_size >= 0) {
-					exif_app1_xmp_size--;
-					fdata = fgetc(fp);
-					if (fdata == EOF)
-						continue;
-					if (fdata == '\0')
-						continue;
-					*ptr = (char)fdata;
-					ptr++;
-					temp++;
-				}
-				ptr = ptr - temp;
-
-				if (strstr(ptr, "UsePanoramaViewer")
-				&& strstr(ptr, "True")
-				&& strstr(ptr, "ProjectionType")
-				&& strstr(ptr, "equirectangular"))
-					result = 1;
 
-				SAFE_FREE(xmp_data);
-			} else {
-				media_svc_error("invalid exif_app1_xmp_size [%ld]", exif_app1_xmp_size);
+			xmp_data = g_malloc(exif_app1_xmp_size);
+			if (!xmp_data) {
+				media_svc_error("invalid exif_app1_xmp_size [%u]", exif_app1_xmp_size);
+				goto ERROR;
 			}
 
-			if (fp) {
-				fclose(fp);
-				fp = NULL;
-			}
-			return result;
-		} else {
-			goto ERROR;
+			ptr = xmp_data;
+
+			do {
+				exif_app1_xmp_size--;
+				fdata = fgetc(fp);
+				if (fdata == EOF)
+					continue;
+				if (fdata == '\0')
+					continue;
+				*ptr = (char)fdata;
+				ptr++;
+				temp++;
+			} while (exif_app1_xmp_size > 0);
+
+			ptr -= temp;
+
+			if (strstr(ptr, "UsePanoramaViewer")
+			&& strstr(ptr, "True")
+			&& strstr(ptr, "ProjectionType")
+			&& strstr(ptr, "equirectangular"))
+				result = 1;
+
+			SAFE_FREE(xmp_data);
 		}
-	} else {
-		goto ERROR;
 	}
+
 ERROR:
 	if (fp) {
 		fclose(fp);
 		fp = NULL;
 	}
-	return 0;
+
+	return result;
 }
 
 static char * __media_svc_get_title(MMHandleType tag, const char *path)
-- 
2.7.4