From 5ed66ddb7bc47aadc1e2e01cf07584435ff729e6 Mon Sep 17 00:00:00 2001
From: Haesu Gwon <haesu.gwon@samsung.com>
Date: Thu, 6 Oct 2016 18:27:53 +0900
Subject: [PATCH] Received message is at risk for corruption with previous
 message. So '\0' char is added at end of tokenized message.

[Version] 0.2.40
[Profile] Common
[Issue Type] New function
[Dependency module] N/A
[Dependency commit] N/A
[Test] [M(T) - Boot=(OK), sdb=(OK), Home=(OK), Touch=(OK), Version=tizen-mobile_20161005.3]

Change-Id: I8ea1542f33bdab44c1916668101687b285234870
Signed-off-by: Haesu Gwon <haesu.gwon@samsung.com>
---
 include/recorder_private.h         |  5 ++---
 packaging/capi-media-recorder.spec |  2 +-
 src/recorder.c                     | 32 +++++++++++++++++++++++---------
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/include/recorder_private.h b/include/recorder_private.h
index 6d29b75..a214032 100644
--- a/include/recorder_private.h
+++ b/include/recorder_private.h
@@ -26,8 +26,7 @@
 extern "C" {
 #endif
 
-#define RECORDER_PARSE_STRING_SIZE 30
-#define RECORDER_MSG_LENGTH_MAX    5120
+#define RECORDER_PARSED_STRING_NUM_MAX 20
 #define RECORDER_CB_TIMEOUT        5
 #define RECORDER_FILENAME_MAX      256
 
@@ -83,7 +82,7 @@ typedef struct _recorder_cb_info_s {
 	/* message receive thread */
 	GThread *msg_recv_thread;
 	gint msg_recv_running;
-	gchar recv_msg[RECORDER_MSG_LENGTH_MAX];
+	gchar recv_msg[MUSE_RECORDER_MSG_MAX_LENGTH * RECORDER_PARSED_STRING_NUM_MAX];
 	GCond api_cond[MUSE_RECORDER_API_MAX];
 	GMutex api_mutex[MUSE_RECORDER_API_MAX];
 	gint api_activating[MUSE_RECORDER_API_MAX];
diff --git a/packaging/capi-media-recorder.spec b/packaging/capi-media-recorder.spec
index aad428f..3a2229d 100644
--- a/packaging/capi-media-recorder.spec
+++ b/packaging/capi-media-recorder.spec
@@ -1,6 +1,6 @@
 Name:       capi-media-recorder
 Summary:    A Recorder API
-Version:    0.2.39
+Version:    0.2.40
 Release:    0
 Group:      Multimedia/API
 License:    Apache-2.0
diff --git a/src/recorder.c b/src/recorder.c
index 869ccd1..d92643f 100644
--- a/src/recorder.c
+++ b/src/recorder.c
@@ -791,6 +791,7 @@ static void *_recorder_msg_recv_func(gpointer data)
 	int num_token = 0;
 	int str_pos = 0;
 	int prev_pos = 0;
+	int msg_length = 0;
 	char *recv_msg = NULL;
 	char *error_msg = NULL;
 	char **parse_str = NULL;
@@ -803,13 +804,13 @@ static void *_recorder_msg_recv_func(gpointer data)
 
 	LOGD("start");
 
-	parse_str = (char **)malloc(sizeof(char *) * RECORDER_PARSE_STRING_SIZE);
+	parse_str = (char **)malloc(sizeof(char *) * RECORDER_PARSED_STRING_NUM_MAX);
 	if (parse_str == NULL) {
 		LOGE("parse_str malloc failed");
 		return NULL;
 	}
 
-	for (i = 0 ; i < RECORDER_PARSE_STRING_SIZE ; i++) {
+	for (i = 0 ; i < RECORDER_PARSED_STRING_NUM_MAX ; i++) {
 		parse_str[i] = (char *)malloc(sizeof(char) * MUSE_RECORDER_MSG_MAX_LENGTH);
 		if (parse_str[i] == NULL) {
 			LOGE("parse_str[%d] malloc failed", i);
@@ -836,13 +837,26 @@ static void *_recorder_msg_recv_func(gpointer data)
 		/*LOGD("recvMSg : %s, length : %d", recv_msg, ret);*/
 
 		/* Need to split the combined entering msgs.
-		    This module supports up to 200 combined msgs. */
+		    This module supports up to 20 combined msgs. */
 		for (str_pos = 0; str_pos < ret; str_pos++) {
 			if (recv_msg[str_pos] == '}') {
-				strncpy(parse_str[num_token], recv_msg + prev_pos, str_pos - prev_pos + 1);
-				/*LOGD("splitted msg : [%s], Index : %d", parse_str[num_token], num_token);*/
-				prev_pos = str_pos+1;
-				num_token++;
+				msg_length = str_pos - prev_pos + 1;
+
+				if (msg_length < MUSE_RECORDER_MSG_MAX_LENGTH) {
+					strncpy(parse_str[num_token], recv_msg + prev_pos, msg_length);
+					parse_str[num_token][msg_length] = '\0';
+					num_token++;
+					/*LOGD("splitted msg : [%s], Index : %d", parse_str[num_token], num_token);*/
+				} else {
+					LOGW("too long message : length %d [%s]", msg_length, recv_msg + prev_pos);
+				}
+
+				prev_pos = str_pos + 1;
+
+				if (num_token >= RECORDER_PARSED_STRING_NUM_MAX) {
+					LOGE("There's too many tokens. Remained msg : %s", recv_msg[++str_pos]);
+					break;
+				}
 			}
 		}
 
@@ -850,7 +864,7 @@ static void *_recorder_msg_recv_func(gpointer data)
 
 		/* Re-construct to the useful single msg. */
 		for (i = 0; i < num_token; i++) {
-			if (i >= RECORDER_PARSE_STRING_SIZE) {
+			if (i >= RECORDER_PARSED_STRING_NUM_MAX) {
 				LOGE("invalid token index %d", i);
 				break;
 			}
@@ -955,7 +969,7 @@ static void *_recorder_msg_recv_func(gpointer data)
 
 CB_HANDLER_EXIT:
 	if (parse_str) {
-		for (i = 0 ; i < RECORDER_PARSE_STRING_SIZE ; i++) {
+		for (i = 0 ; i < RECORDER_PARSED_STRING_NUM_MAX ; i++) {
 			if (parse_str[i]) {
 				free(parse_str[i]);
 				parse_str[i] = NULL;
-- 
2.7.4