Modify to use vulnerable function 'sscanf'

(Fix Security Svace issue)

Change-Id: Iea50bdd5c2fc232d46d0629296a994edb994bb28
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>

diff --git a/packaging/libmedia-service.spec b/packaging/libmedia-service.spec
index 1dbcb90..632f9ee 100644 (file)
--- a/packaging/libmedia-service.spec
+++ b/packaging/libmedia-service.spec
@@ -1,6 +1,6 @@
 Name:       libmedia-service
 Summary:    Media information service library for multimedia applications
-Version: 0.3.1
+Version: 0.3.2
 Release:    0
 Group:      Multimedia/Libraries
 License:    Apache-2.0 and PD

diff --git a/src/common/media-svc-util.c b/src/common/media-svc-util.c
index c96f917..b6287c9 100755 (executable)
--- a/src/common/media-svc-util.c
+++ b/src/common/media-svc-util.c
@@ -804,6 +804,33 @@ static int __media_svc_resize_artwork(unsigned char *image, unsigned int size, c
        return ret;
 }
 
+static int __media_svc_safe_atoi(char *buffer, int *si)
+{
+       char *end;
+       errno = 0;
+       const long sl = strtol(buffer, &end, 10);
+
+       if (end == buffer) {
+               media_svc_error("not a decimal number");
+               return MS_MEDIA_ERR_INTERNAL;
+       } else if ('\0' != *end) {
+               media_svc_error("extra characters at end of input: %s", end);
+               return MS_MEDIA_ERR_INTERNAL;
+       } else if ((LONG_MIN == sl || LONG_MAX == sl) && (ERANGE == errno)) {
+               media_svc_error("out of range of type long");
+               return MS_MEDIA_ERR_INTERNAL;
+       } else if (sl > INT_MAX) {
+               media_svc_error("greater than INT_MAX");
+               return MS_MEDIA_ERR_INTERNAL;
+       } else if (sl < INT_MIN) {
+               media_svc_error("less than INT_MIN");
+               return MS_MEDIA_ERR_INTERNAL;
+       } else {
+               *si = (int)sl;
+       }
+       return MS_MEDIA_ERR_NONE;
+}
+
 static int _media_svc_save_image(unsigned char *image, unsigned int size, char *image_path, uid_t uid)
 {
        media_svc_debug("start save image, path [%s] image size [%d]", image_path, size);
@@ -1983,7 +2010,7 @@ int _media_svc_extract_media_metadata(sqlite3 *handle, media_svc_content_info_s
                mmf_error = mm_file_get_attrs(tag, &err_attr_name, MM_FILE_TAG_DATE, &p, &size, NULL);
                if ((!(extracted_field & MEDIA_SVC_EXTRACTED_FIELD_YEAR)) && (mmf_error == FILEINFO_ERROR_NONE) && (size == 4)) {
                        int year = 0;
-                       if ((p != NULL) && (sscanf(p, "%d", &year))) {
+                       if ((p != NULL) && ((ret != __media_svc_safe_atoi(p, &year)) == MS_MEDIA_ERR_NONE)) {
                                ret = __media_svc_malloc_and_strncpy(&content_info->media_meta.year, p);
                                if (ret != MS_MEDIA_ERR_NONE)
                                        media_svc_error("strcpy error");