From 4c60658563354cada16f7d635d52254279dc3656 Mon Sep 17 00:00:00 2001 From: "jiyong.min" Date: Tue, 15 Sep 2020 17:13:19 +0900 Subject: [PATCH] Fix tainted data and minor change - Add to check return value of fread due to tainted data - Add to check minimum value of '((x[0] << 8) | (x[1]))' - minor change. change 'long' and 'gsize' to 'size_t' Change-Id: Ib71be1c7caeea8c99cb6194734599930d4d64bc1 --- packaging/libmedia-service.spec | 2 +- src/common/media-svc-util.c | 21 +++++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/packaging/libmedia-service.spec b/packaging/libmedia-service.spec index a7f5c64..3276801 100644 --- a/packaging/libmedia-service.spec +++ b/packaging/libmedia-service.spec @@ -1,6 +1,6 @@ Name: libmedia-service Summary: Media information service library for multimedia applications -Version: 0.4.13 +Version: 0.4.14 Release: 0 Group: Multimedia/Libraries License: Apache-2.0 and PD diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c index aa2881a..4e44550 100644 --- a/src/common/media-svc-util.c +++ b/src/common/media-svc-util.c @@ -806,12 +806,10 @@ int _media_svc_set_media_info(media_svc_content_info_s *content_info, const char static int __image_360_check(const char *path) { FILE *fp = NULL; - long app1_size = 0; - int size = 1; + size_t size = 0, app1_size = 0, exif_app1_xmp_size = 0; unsigned char exif_header[4] = {0, }; unsigned char exif_app1[2] = {0, }; unsigned char exif_app1_xmp[2] = {0, }; - gsize exif_app1_xmp_size = 0; unsigned char exif_app1_xmp_t[2] = {0, }; GString *xmp_data = NULL; int fdata = 0; @@ -827,32 +825,35 @@ static int __image_360_check(const char *path) goto ERROR; size = fread(exif_header, 1, sizeof(exif_header), fp); - if (size <= 0) + if (size != sizeof(exif_header)) goto ERROR; if ((exif_header[0] == 0xff) && (exif_header[1] == 0xd8) && (exif_header[2] == 0xff) && (exif_header[3] == 0xe1)) { size = fread(exif_app1, 1, sizeof(exif_app1), fp); - if (size <= 0) + if (size != sizeof(exif_app1)) goto ERROR; - app1_size = (long)((exif_app1[0] << 8) | (exif_app1[1])) - 2 ; + if ((size_t)((exif_app1[0] << 8) | (exif_app1[1])) <= 2) + goto ERROR; + app1_size = (size_t)((exif_app1[0] << 8) | (exif_app1[1])) - 2 ; if (fseek(fp, app1_size, SEEK_CUR) != 0) goto ERROR; size = fread(exif_app1_xmp, 1, sizeof(exif_app1_xmp), fp); - if (size <= 0) + if (size != sizeof(exif_app1_xmp)) goto ERROR; if ((exif_app1_xmp[0] == 0xff) && (exif_app1_xmp[1] == 0xe1)) { size = fread(exif_app1_xmp_t, 1, sizeof(exif_app1_xmp_t), fp); - if (size <= 0) + if (size != sizeof(exif_app1_xmp_t)) goto ERROR; - exif_app1_xmp_size = (long)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) - 2; - if (exif_app1_xmp_size == 0) + if ((size_t)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) <= 2) goto ERROR; + exif_app1_xmp_size = (size_t)((exif_app1_xmp_t[0] << 8) | (exif_app1_xmp_t[1])) - 2; + xmp_data = g_string_sized_new(exif_app1_xmp_size); do { -- 2.7.4