From bcd11e283cfe2b26e27053ca66ef74c6bbc7cd49 Mon Sep 17 00:00:00 2001
From: Jiyong Min <jiyong.min@samsung.com>
Date: Thu, 20 Apr 2017 10:05:13 +0900
Subject: [PATCH] Modify to use vulnerable function 'sscanf'

Change-Id: I199cb2c166a454e2765f65f837c728334fa19d91
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
---
 packaging/libmedia-service.spec |  2 +-
 src/common/media-svc-util.c     | 29 ++++++++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/packaging/libmedia-service.spec b/packaging/libmedia-service.spec
index 9789b99..1ffa6ef 100644
--- a/packaging/libmedia-service.spec
+++ b/packaging/libmedia-service.spec
@@ -1,6 +1,6 @@
 Name:       libmedia-service
 Summary:    Media information service library for multimedia applications
-Version: 0.2.91
+Version: 0.2.92
 Release:    0
 Group:      Multimedia/Libraries
 License:    Apache-2.0 and public domain
diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c
index 2331fc8..d3492c8 100755
--- a/src/common/media-svc-util.c
+++ b/src/common/media-svc-util.c
@@ -827,6 +827,33 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c
 	return ret;
 }
 
+static int __media_svc_safe_atoi(char *buffer, int *si)
+{
+	char *end;
+	errno = 0;
+	const long sl = strtol(buffer, &end, 10);
+
+	if (end == buffer) {
+		media_svc_error("not a decimal number");
+		return MS_MEDIA_ERR_INTERNAL;
+	} else if ('\0' != *end) {
+		media_svc_error("extra characters at end of input: %s", end);
+		return MS_MEDIA_ERR_INTERNAL;
+	} else if ((LONG_MIN == sl || LONG_MAX == sl) && (ERANGE == errno)) {
+		media_svc_error("out of range of type long");
+		return MS_MEDIA_ERR_INTERNAL;
+	} else if (sl > INT_MAX) {
+		media_svc_error("greater than INT_MAX");
+		return MS_MEDIA_ERR_INTERNAL;
+	} else if (sl < INT_MIN) {
+		media_svc_error("less than INT_MIN");
+		return MS_MEDIA_ERR_INTERNAL;
+	} else {
+		*si = (int)sl;
+	}
+	return MS_MEDIA_ERR_NONE;
+}
+
 static int _media_svc_save_image(unsigned char *image, unsigned int size, char *image_path, uid_t uid)
 {
 	media_svc_debug("start save image, path [%s] image size [%d]", image_path, size);
@@ -2076,7 +2103,7 @@ int _media_svc_extract_media_metadata(sqlite3 *handle, media_svc_content_info_s
 		mmf_error = mm_file_get_attrs(tag, &err_attr_name, MM_FILE_TAG_DATE, &p, &size, NULL);
 		if ((!(extracted_field & MEDIA_SVC_EXTRACTED_FIELD_YEAR)) && (mmf_error == FILEINFO_ERROR_NONE) && (size == 4)) {
 			int year = 0;
-			if ((p != NULL) && (sscanf(p, "%d", &year))) {
+			if ((p != NULL) && ((ret = __media_svc_safe_atoi(p, &year)) == MS_MEDIA_ERR_NONE)) {
 				ret = __media_svc_malloc_and_strncpy(&content_info->media_meta.year, p);
 				if (ret != MS_MEDIA_ERR_NONE)
 					media_svc_error("strcpy error");
-- 
2.7.4