From 5f46fca69040dd22865a4b07ebe523d5a57669ba Mon Sep 17 00:00:00 2001 From: Jiyong Date: Thu, 11 Jul 2024 12:46:20 +0900 Subject: [PATCH] Bug fix. insecure strncmp - fix svace issue (LIB.INSECURE_STRNCMP) The problem that such using checks only prefix of string because null-terminator is not checked. It may be source of vulnarability when using for compariso passwords. Correct pattern should use strlen(arg) + 1. Change-Id: Ib66d43aac119b265c462b0ba35519caa3885d631 --- common/mm_util_private.c | 2 +- packaging/libmm-utility.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common/mm_util_private.c b/common/mm_util_private.c index d44cdee..2f9eb42 100644 --- a/common/mm_util_private.c +++ b/common/mm_util_private.c @@ -46,7 +46,7 @@ int mm_util_safe_fopen(const char *path, const char *mode, FILE **fp) mm_util_stderror("realpath failed"); return MM_UTIL_ERROR_NO_SUCH_FILE; } - if (strncmp(path, _realpath, strlen(path))) { + if (strncmp(path, _realpath, strlen(path) + 1)) { mm_util_error("file is symbolic link"); free(_realpath); return MM_UTIL_ERROR_NO_SUCH_FILE; diff --git a/packaging/libmm-utility.spec b/packaging/libmm-utility.spec index 7958d9d..e0682b2 100644 --- a/packaging/libmm-utility.spec +++ b/packaging/libmm-utility.spec @@ -1,6 +1,6 @@ Name: libmm-utility Summary: Multimedia Framework Utility Library -Version: 0.4.24 +Version: 0.4.25 Release: 0 Group: System/Libraries License: Apache-2.0 -- 2.7.4