From cafeacec8b217e8cfbf722c61b444cd5636b561f Mon Sep 17 00:00:00 2001
From: Seungbae Shin <seungbae.shin@samsung.com>
Date: Wed, 18 Dec 2019 11:31:24 +0900
Subject: [PATCH] Fix some vulnerability (Null Pointer Dereference) defects

[Version] 0.12.59
[Issue Type] Vulnerability

Change-Id: I0d4ddd518dad40e4306cbc8f4200ccaa6f00ea78
(cherry picked from commit 38b3c36fd75409a72a7f2da8e3c27f15ef1ba7b9)
---
 focus_server/mm_sound_mgr_focus.c | 14 ++++++++++++--
 mm_sound_client.c                 | 16 +++++++++++-----
 mm_sound_pa_client.c              |  6 +++++-
 mm_sound_proxy.c                  |  6 +++++-
 packaging/libmm-sound.spec        |  2 +-
 5 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/focus_server/mm_sound_mgr_focus.c b/focus_server/mm_sound_mgr_focus.c
index 08249a0..b3b1844 100644
--- a/focus_server/mm_sound_mgr_focus.c
+++ b/focus_server/mm_sound_mgr_focus.c
@@ -692,7 +692,12 @@ int mm_sound_mgr_focus_create_node(const _mm_sound_mgr_focus_param_t *param)
 	if (ret)
 		goto FINISH;
 
-	node = g_malloc0(sizeof(focus_node_t));
+	node = (focus_node_t *)g_try_malloc0(sizeof(focus_node_t));
+	if (!node) {
+		debug_error("Failed to alloc node");
+		ret = MM_ERROR_OUT_OF_MEMORY;
+		goto FINISH;
+	}
 
 	/* fill up information to the node */
 	_mm_sound_mgr_focus_fill_info_from_msg(node, param);
@@ -1123,7 +1128,12 @@ int mm_sound_mgr_focus_add_watch_node(const _mm_sound_mgr_focus_param_t *param)
 		}
 	}
 
-	node = g_malloc0(sizeof(focus_node_t));
+	node = (focus_node_t *)g_try_malloc0(sizeof(focus_node_t));
+	if (!node) {
+		debug_error("Failed to alloc node");
+		ret = MM_ERROR_OUT_OF_MEMORY;
+		goto FINISH;
+	}
 
 	/* fill up information to the node */
 	_mm_sound_mgr_focus_fill_info_from_msg(node, param);
diff --git a/mm_sound_client.c b/mm_sound_client.c
index ad21494..3098929 100644
--- a/mm_sound_client.c
+++ b/mm_sound_client.c
@@ -99,7 +99,11 @@ struct callback_data {
 
 #define GET_CB_DATA(_cb_data, _func, _userdata, _extradata) \
 	do { \
-		_cb_data = (struct callback_data*) g_malloc0(sizeof(struct callback_data)); \
+		_cb_data = (struct callback_data*) g_try_malloc0(sizeof(struct callback_data)); \
+		if (!_cb_data) { \
+			debug_error("failed to allocate callback_data"); \
+			return MM_ERROR_OUT_OF_MEMORY; \
+		} \
 		_cb_data->user_cb = _func; \
 		_cb_data->user_data = _userdata; \
 		_cb_data->extra_data = _extradata; \
@@ -248,10 +252,14 @@ int mm_sound_client_play_sound_with_stream_info(MMSoundPlayParam *param, int *ha
 													getpid(), handle, stream_type, stream_id);
 	if (ret != MM_ERROR_NONE) {
 		debug_error("Play Sound Failed");
-		goto failed;
+		return ret;
 	}
 	if (param->callback) {
-		end_cb_data = (play_sound_end_callback_data_t *) g_malloc0(sizeof(play_sound_end_callback_data_t));
+		end_cb_data = (play_sound_end_callback_data_t *) g_try_malloc0(sizeof(play_sound_end_callback_data_t));
+		if (!end_cb_data) {
+			debug_error("Failed to alloc end_cb_data");
+			return MM_ERROR_OUT_OF_MEMORY;
+		}
 		end_cb_data->watching_handle = *handle;
 		GET_CB_DATA(cb_data, param->callback, param->data, end_cb_data);
 
@@ -261,8 +269,6 @@ int mm_sound_client_play_sound_with_stream_info(MMSoundPlayParam *param, int *ha
 			debug_error("Add callback for play sound(%d) Failed", *handle);
 	}
 
-failed:
-
 	debug_fleave();
 	return ret;
 
diff --git a/mm_sound_pa_client.c b/mm_sound_pa_client.c
index 4add2ba..5681117 100644
--- a/mm_sound_pa_client.c
+++ b/mm_sound_pa_client.c
@@ -215,7 +215,6 @@ int mm_sound_pa_open(MMSoundHandleMode mode, int volume_config, pa_sample_spec *
 	default:
 		err = MM_ERROR_SOUND_INTERNAL;
 		goto fail;
-		break;
 	}
 
 	if (!s) {
@@ -228,6 +227,11 @@ int mm_sound_pa_open(MMSoundHandleMode mode, int volume_config, pa_sample_spec *
 	}
 
 	handle = (mm_sound_handle_t *) malloc(sizeof(mm_sound_handle_t));
+	if (!handle) {
+		debug_error("Failed to alloc handle");
+		err = MM_ERROR_OUT_OF_MEMORY;
+		goto fail;
+	}
 	memset(handle, 0, sizeof(mm_sound_handle_t));
 	handle->mode = mode;
 	handle->volume_type = prop_vol_type;
diff --git a/mm_sound_proxy.c b/mm_sound_proxy.c
index 817aa58..5b4b767 100644
--- a/mm_sound_proxy.c
+++ b/mm_sound_proxy.c
@@ -24,7 +24,11 @@ struct callback_data {
 
 #define CB_DATA_NEW(_cb_data, _func, _userdata, _freefunc) \
 	do { \
-		_cb_data = (struct callback_data*) g_malloc0(sizeof(struct callback_data)); \
+		_cb_data = (struct callback_data*) g_try_malloc0(sizeof(struct callback_data)); \
+		if (!_cb_data) { \
+			debug_error("failed to allocate callback_data"); \
+			return MM_ERROR_OUT_OF_MEMORY; \
+		} \
 		_cb_data->user_cb = _func; \
 		_cb_data->user_data = _userdata; \
 		_cb_data->free_func = _freefunc; \
diff --git a/packaging/libmm-sound.spec b/packaging/libmm-sound.spec
index 0b76e39..2d90f17 100644
--- a/packaging/libmm-sound.spec
+++ b/packaging/libmm-sound.spec
@@ -1,6 +1,6 @@
 Name:       libmm-sound
 Summary:    MMSound Package contains client lib and sound_server binary
-Version:    0.12.58
+Version:    0.12.59
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0
-- 
2.7.4