From 4218aaee5ac7d0362c60258c814132b6441fe636 Mon Sep 17 00:00:00 2001 From: "jiyong.min" Date: Wed, 11 Mar 2020 15:17:09 +0900 Subject: [PATCH] Fix crash issue due to garbage value - If the result of g_convert() is empty string, the written_len is 0. Then (unsigned int)'written_len - 1' became garbage value and checking carriage return make crash. (gdb)bt full mmfile_string_convert ...mm_file_util_string.c:189 i = 1395696 result = 0xae45a410 "" err = 0x0 written_len = 0 Change-Id: I61b4c3e4a6b938ce549844e163dc46f47398aa98 --- packaging/libmm-fileinfo.spec | 2 +- utils/mm_file_util_string.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/packaging/libmm-fileinfo.spec b/packaging/libmm-fileinfo.spec index 1eef915..6561d3b 100644 --- a/packaging/libmm-fileinfo.spec +++ b/packaging/libmm-fileinfo.spec @@ -1,6 +1,6 @@ Name: libmm-fileinfo Summary: Media Fileinfo -Version: 0.6.86 +Version: 0.6.87 Release: 1 Group: System/Libraries License: Apache-2.0 diff --git a/utils/mm_file_util_string.c b/utils/mm_file_util_string.c index be784ab..96f549c 100755 --- a/utils/mm_file_util_string.c +++ b/utils/mm_file_util_string.c @@ -173,18 +173,19 @@ char *mmfile_string_convert(const char *str, unsigned int len, result = g_convert(str, len, to_codeset, from_codeset, bytes_read, &written_len, &err); /*if converting failed, return null string.*/ - if (!result) { + if (!result || written_len == 0) { debug_warning(RELEASE, "text encoding failed.[%s][%d]\n", str, len); if (err != NULL) { debug_warning(DEBUG, "Error msg [%s]", err->message); g_error_free(err); } + mmfile_free(result); written_len = 0; } else { /* check carriage return */ - unsigned int i = 0; + gsize i = 0; for (i = 0; i < written_len - 1; i++) { if (result[i] == '\r') { if (result[i + 1] != '\n') -- 2.7.4