diff options
| author | Christophe Fergeau <teuf@gnome.org> | 2005-11-28 19:44:33 +0000 |
|---|---|---|
| committer | Christophe Fergeau <teuf@gnome.org> | 2005-11-28 19:44:33 +0000 |
| commit | 80ade88ec9ff5b45c7532c25f160e6bc7cd41533 (patch) | |
| tree | 6ead9f334b311d1abd4670bf988abeb7a3572c39 | |
| parent | 1100f4f45220e6579fffa476d07d719093177852 (diff) | |
| download | libgpod-80ade88ec9ff5b45c7532c25f160e6bc7cd41533.tar.gz libgpod-80ade88ec9ff5b45c7532c25f160e6bc7cd41533.tar.xz libgpod-80ade88ec9ff5b45c7532c25f160e6bc7cd41533.zip | |
2005-11-28 Christophe Fergeau <teuf@gnome.org>
* src/itdb_artwork.c: (unpack_RGB_565), (get_pixel_data):
* src/itdb_itunesdb.c: (get_mhod):
* src/ithumb-writer.c: (pack_RGB_565),
(ithumb_rearrange_thumbnail_file): added some paranoia checks before
doing some mallocs to prevent potential int overflows in some mallocs
which could be triggered by using forged iTunesDB files
git-svn-id: https://gtkpod.svn.sf.net/svnroot/gtkpod/libgpod/trunk@1181 f01d2545-417e-4e96-918e-98f8d0dbbcb6
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | src/itdb_artwork.c | 4 | ||||
| -rw-r--r-- | src/itdb_itunesdb.c | 3 | ||||
| -rw-r--r-- | src/ithumb-writer.c | 8 |
4 files changed, 24 insertions, 0 deletions
@@ -1,3 +1,12 @@ +2005-11-28 Christophe Fergeau <teuf@gnome.org> + + * src/itdb_artwork.c: (unpack_RGB_565), (get_pixel_data): + * src/itdb_itunesdb.c: (get_mhod): + * src/ithumb-writer.c: (pack_RGB_565), + (ithumb_rearrange_thumbnail_file): added some paranoia checks before + doing some mallocs to prevent potential int overflows in some mallocs + which could be triggered by using forged iTunesDB files + 2005-11-28 Jorg Schuler <jcsjcs at users.sourceforge.net> New API for thumbnail support: see src/itdb.h for details. diff --git a/src/itdb_artwork.c b/src/itdb_artwork.c index 69b432a..072daa1 100644 --- a/src/itdb_artwork.c +++ b/src/itdb_artwork.c @@ -217,6 +217,7 @@ unpack_RGB_565 (guint16 *pixels, guint bytes_len) guchar *result; guint i; + g_assert (bytes_len < 2*(G_MAXUINT/3)); result = g_malloc ((bytes_len/2) * 3); if (result == NULL) { return NULL; @@ -251,6 +252,9 @@ get_pixel_data (IpodDevice *device, Itdb_Thumb *thumb) g_return_val_if_fail (thumb, NULL); g_return_val_if_fail (thumb->filename, NULL); + /* thumb->size is read as a guint32 from the iPod, so no overflow + * can occur here + */ result = g_malloc (thumb->size); filename = itdb_thumb_get_filename (device, thumb); diff --git a/src/itdb_itunesdb.c b/src/itdb_itunesdb.c index a74cf9c..9a6cb4b 100644 --- a/src/itdb_itunesdb.c +++ b/src/itdb_itunesdb.c @@ -1020,6 +1020,7 @@ static MHODData get_mhod (FContents *cts, glong mhod_seek, guint32 *ml) case MHOD_ID_SUBTITLE: xl = get32lint (cts, seek+4); /* length of string */ if (cts->error) return result; /* *ml==-1, result.valid==FALSE */ + g_assert (xl < G_MAXUINT - 2); entry_utf16 = g_new0 (gunichar2, (xl+2)/2); if (seek_get_n_bytes (cts, (gchar *)entry_utf16, seek+16, xl)) { @@ -1039,6 +1040,7 @@ static MHODData get_mhod (FContents *cts, glong mhod_seek, guint32 *ml) /* length of string */ xl = mhod_len - header_length; if (cts->error) return result; /* *ml==-1, result.valid==FALSE */ + g_assert (xl < G_MAXUINT - 1); result.data.string = g_new0 (gchar, xl+1); if (!seek_get_n_bytes (cts, result.data.string, seek, xl)) { @@ -1100,6 +1102,7 @@ static MHODData get_mhod (FContents *cts, glong mhod_seek, guint32 *ml) splr->action = get32bint (cts, seek+4); seek += 52; length = get32bint (cts, seek); + g_assert (length < G_MAXUINT-2); if (itdb_spl_action_known (splr->action)) { gint ft = itdb_splr_get_field_type (splr); diff --git a/src/ithumb-writer.c b/src/ithumb-writer.c index 7fb3bed..ecf86b6 100644 --- a/src/ithumb-writer.c +++ b/src/ithumb-writer.c @@ -71,6 +71,10 @@ pack_RGB_565 (GdkPixbuf *pixbuf, int dst_width, int dst_height) "height", &height, "width", &width, "pixels", &pixels, NULL); g_return_val_if_fail ((width <= dst_width) && (height <= dst_height), NULL); + /* dst_width and dst_height come from a width/height database + * hardcoded in libipoddevice code, so dst_width * dst_height * 2 can't + * overflow, even on an iPod containing malicious data + */ result = g_malloc0 (dst_width * dst_height * 2); for (h = 0; h < height; h++) { @@ -350,6 +354,10 @@ static gboolean ithumb_rearrange_thumbnail_file (gpointer _key, /* Sort the list of thumbs according to img->offset */ thumbs = g_list_sort (thumbs, offset_sort); + /* size is either a value coming from a hardcoded const array from + * libipoddevice, or a guint32 read from an iPod file, so no overflow + * can occur here + */ buf = g_malloc (size); for (i=0; i<tn_num; ++i) |