2005-11-28 Christophe Fergeau <teuf@gnome.org>

	* src/itdb_artwork.c: (unpack_RGB_565), (get_pixel_data):
	* src/itdb_itunesdb.c: (get_mhod):
	* src/ithumb-writer.c: (pack_RGB_565),
	(ithumb_rearrange_thumbnail_file): added some paranoia checks before
	doing some mallocs to prevent potential int overflows in some mallocs
	which could be triggered by using forged iTunesDB files


git-svn-id: https://gtkpod.svn.sf.net/svnroot/gtkpod/libgpod/trunk@1181 f01d2545-417e-4e96-918e-98f8d0dbbcb6

1 files changed, 8 insertions, 0 deletions

diff --git a/src/ithumb-writer.c b/src/ithumb-writer.c
index 7fb3bed..ecf86b6 100644
--- a/src/ithumb-writer.c
+++ b/src/ithumb-writer.c
@@ -71,6 +71,10 @@ pack_RGB_565 (GdkPixbuf *pixbuf, int dst_width, int dst_height)
 		      "height", &height, "width", &width,
 		      "pixels", &pixels, NULL);
 	g_return_val_if_fail ((width <= dst_width) && (height <= dst_height), NULL);
+	/* dst_width and dst_height come from a width/height database 
+	 * hardcoded in libipoddevice code, so dst_width * dst_height * 2 can't
+	 * overflow, even on an iPod containing malicious data
+	 */
 	result = g_malloc0 (dst_width * dst_height * 2);
 
 	for (h = 0; h < height; h++) {
@@ -350,6 +354,10 @@ static gboolean ithumb_rearrange_thumbnail_file (gpointer _key,
     /* Sort the list of thumbs according to img->offset */
     thumbs = g_list_sort (thumbs, offset_sort);
 
+    /* size is either a value coming from a hardcoded const array from 
+     * libipoddevice, or a guint32 read from an iPod file, so no overflow
+     * can occur here
+     */
     buf = g_malloc (size);
 
     for (i=0; i<tn_num; ++i)