[gtpd-cvs] SF.net SVN: gtkpod:[2151] libgpod/trunk

Mon, 17 Nov 2008 11:56:26 -0800 

Revision: 2151
          http://gtkpod.svn.sourceforge.net/gtkpod/?rev=2151&view=rev
Author:   teuf
Date:     2008-11-17 19:56:12 +0000 (Mon, 17 Nov 2008)

Log Message:
-----------
Add overflow checks when computing sizes to use as a malloc arg

Modified Paths:
--------------
    libgpod/trunk/ChangeLog
    libgpod/trunk/src/ithumb-writer.c

Modified: libgpod/trunk/ChangeLog
===================================================================
--- libgpod/trunk/ChangeLog     2008-11-14 17:12:05 UTC (rev 2150)
+++ libgpod/trunk/ChangeLog     2008-11-17 19:56:12 UTC (rev 2151)
@@ -1,3 +1,7 @@
+2008-11-17  Christophe Fergeau  <[EMAIL PROTECTED]>
+
+       * src/ithumb-writer.c: add checks for int overflows on malloc args
+
 2008-11-14  Todd Zullinger  <tmzullinger at users.sourceforge.net>
 
        * docs/reference/tmpl/track.sgml

Modified: libgpod/trunk/src/ithumb-writer.c
===================================================================
--- libgpod/trunk/src/ithumb-writer.c   2008-11-14 17:12:05 UTC (rev 2150)
+++ libgpod/trunk/src/ithumb-writer.c   2008-11-17 19:56:12 UTC (rev 2151)
@@ -116,10 +116,11 @@
         } else {
             dest_width = img_info->width;
         }
-       /* dst_width and dst_height come from a width/height database 
-        * hardcoded in libipoddevice code, so dst_width * dst_height * 2 can't
-        * overflow, even on an iPod containing malicious data
-        */
+
+       /* Make sure thumb size calculation won't overflow */
+       g_return_val_if_fail (dest_width != 0, NULL);
+       g_return_val_if_fail (dest_width < G_MAXUINT/2, NULL);
+       g_return_val_if_fail (img_info->height < G_MAXUINT/(2*dest_width), 
NULL);
        *thumb_size = dest_width * img_info->height * 2;
        result = g_malloc0 (*thumb_size);
 
@@ -223,10 +224,10 @@
             dest_width = img_info->width;
         }
 
-       /* dst_width and dst_height come from a width/height database 
-        * hardcoded in libipoddevice code, so dst_width * dst_height * 2 can't
-        * overflow, even on an iPod containing malicious data
-        */
+       /* Make sure thumb size calculation won't overflow */
+       g_return_val_if_fail (dest_width != 0, NULL);
+       g_return_val_if_fail (dest_width < G_MAXUINT/2, NULL);
+       g_return_val_if_fail (img_info->height < G_MAXUINT/(2*dest_width), 
NULL);
        *thumb_size = dest_width * img_info->height * 2;
        result = g_malloc0 (*thumb_size);
 
@@ -320,10 +321,11 @@
                      "height", &height, "width", &width,
                      "pixels", &pixels, NULL);
        g_return_val_if_fail ((width <= img_info->width) && (height <= 
img_info->height), NULL);
-       /* dst_width and dst_height come from a width/height database 
-        * hardcoded in libipoddevice code, so dst_width * dst_height * 2 can't
-        * overflow, even on an iPod containing malicious data
-        */
+
+       /* Make sure thumb size calculation won't overflow */
+       g_return_val_if_fail (img_info->width != 0, NULL);
+       g_return_val_if_fail (img_info->width < G_MAXUINT/4, NULL);
+       g_return_val_if_fail (img_info->height < G_MAXUINT/(4*img_info->width), 
NULL);
        *thumb_size = img_info->width * img_info->height * 4;
        result = g_malloc0 (*thumb_size);
 
@@ -377,7 +379,12 @@
 
     if (pixels_s == NULL)
     {
+       g_return_val_if_fail (width != 0, NULL);
+       g_return_val_if_fail (width < G_MAXUINT/sizeof (guint16), NULL);
+       g_return_val_if_fail (height < G_MAXUINT/(sizeof (guint16)*width), 
NULL);
+
        pixels_s = g_malloc0 (sizeof (guint16)*width*height);
+
     }
 
     if (width == 1)
@@ -447,7 +454,7 @@
     gint rowstride;
     gint h, z;
     guchar *pixels, *yuvdata;
-    gint yuvsize, halfyuv;
+    guint yuvsize, halfyuv;
     gint ustart, vstart;
 
     g_return_val_if_fail (img_info, NULL);
@@ -470,6 +477,11 @@
                  "rowstride", &rowstride,
                  "pixels", &pixels, NULL);
 
+    /* Make sure yuvsize calculation won't overflow */
+    g_return_val_if_fail (height != 0, NULL);
+    g_return_val_if_fail (height < G_MAXUINT/2, NULL);
+    g_return_val_if_fail (width < G_MAXUINT/(2*height), NULL);
+
     halfyuv = width*height;
 
     yuvsize = 2*halfyuv;
@@ -529,7 +541,7 @@
     gint h = 0;
     gint r0, g0, b0, r1, g1, b1, r2, g2, b2, r3, g3, b3;
     gint rowstride;
-    gint yuvsize, halfyuv;
+    guint yuvsize, halfyuv;
     gint alphabit, rgbpx;
     gint exc;
 
@@ -554,6 +566,11 @@
                  "rowstride", &rowstride,
                  "pixels", &pixels, NULL);
 
+    /* Make sure yuvsize calculation won't overflow */
+    g_return_val_if_fail (height != 0, NULL);
+    g_return_val_if_fail (height < G_MAXUINT/2, NULL);
+    g_return_val_if_fail (width < G_MAXUINT/(2*height), NULL);
+
     yuvsize = width*2*height;
 
     yuvdata = g_malloc (yuvsize);
@@ -885,6 +902,7 @@
                               thumb->vertical_padding,
                               &thumb->size);
 }
+
 static gboolean write_pixels (iThumbWriter *writer, Itdb_Thumb_Ipod_Item 
*thumb,
                               void *pixels)
 {


This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
gtkpod-cvs2 mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/gtkpod-cvs2

Reply via email to