From e70baf692ae6fe7bafebbc5bb1a2719cf162421e Mon Sep 17 00:00:00 2001
From: Jiyong Min <jiyong.min@samsung.com>
Date: Tue, 14 Jun 2016 16:55:52 +0900
Subject: [PATCH] Fix tainted width & height issue for gif

Change-Id: Icd49bf7a45e1e86b715f9377efa1196bb7566ba5
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
---
 gif/mm_util_gif.c            | 14 +++++++++++---
 packaging/libmm-utility.spec |  2 +-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/gif/mm_util_gif.c b/gif/mm_util_gif.c
index da6ee75..0f4f2a7 100755
--- a/gif/mm_util_gif.c
+++ b/gif/mm_util_gif.c
@@ -114,7 +114,10 @@ static int __read_gif(mm_util_gif_data *decoded, const char *filename, void *mem
 		mm_util_error("Gif File wrong decode parameters");
 		return MM_UTIL_ERROR_INVALID_OPERATION;
 	}
-
+	if (GifFile->SWidth <= 0 || GifFile->SHeight <= 0) {
+		mm_util_error("Gif File wrong decode width & height");
+		return MM_UTIL_ERROR_INVALID_OPERATION;
+	}
 	decoded->width = GifFile->SWidth;
 	decoded->height = GifFile->SHeight;
 	decoded->size = (unsigned long long)GifFile->SWidth * (unsigned long long)GifFile->SHeight * 4;
@@ -127,7 +130,7 @@ static int __read_gif(mm_util_gif_data *decoded, const char *filename, void *mem
 	}
 
 	Size = GifFile->SWidth * sizeof(GifPixelType);	/* Size in bytes one row. */
-	if ((screen_buffer[0] = (GifRowType) malloc(Size)) == NULL) {	/* First row. */
+	if ((screen_buffer[0] = (GifRowType) calloc(1, Size)) == NULL) {	/* First row. */
 		mm_util_error("Failed to allocate memory required, aborted.");
 		ret = MM_UTIL_ERROR_INVALID_OPERATION;
 		goto error;
@@ -137,7 +140,7 @@ static int __read_gif(mm_util_gif_data *decoded, const char *filename, void *mem
 		screen_buffer[0][i] = GifFile->SBackGroundColor;
 	for (i = 1; i < GifFile->SHeight; i++) {
 		/* Allocate the other rows, and set their color to background too: */
-		if ((screen_buffer[i] = (GifRowType) malloc(Size)) == NULL) {
+		if ((screen_buffer[i] = (GifRowType) calloc(1, Size)) == NULL) {
 			mm_util_error("Failed to allocate memory required, aborted.");
 			ret = MM_UTIL_ERROR_INVALID_OPERATION;
 			goto error;
@@ -160,6 +163,11 @@ static int __read_gif(mm_util_gif_data *decoded, const char *filename, void *mem
 				ret = MM_UTIL_ERROR_INVALID_OPERATION;
 				goto error;
 			}
+			if (GifFile->Image.Top < 0 || GifFile->Image.Left < 0 || GifFile->Image.Width <= 0 || GifFile->Image.Height <= 0) {
+				mm_util_error("Gif File wrong decode width & height");
+				ret = MM_UTIL_ERROR_INVALID_OPERATION;
+				goto error;
+			}
 			Row = GifFile->Image.Top;	/* Image Position relative to Screen. */
 			Col = GifFile->Image.Left;
 			Width = GifFile->Image.Width;
diff --git a/packaging/libmm-utility.spec b/packaging/libmm-utility.spec
index 212482c..00da96a 100755
--- a/packaging/libmm-utility.spec
+++ b/packaging/libmm-utility.spec
@@ -1,6 +1,6 @@
 Name:       libmm-utility
 Summary:    Multimedia Framework Utility Library
-Version:    0.22
+Version:    0.23
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0
-- 
2.34.1