Update of /cvsroot/gtkpod/libgpod/src
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv2166/src
Modified Files:
itdb_artwork.c itdb_itunesdb.c ithumb-writer.c
Log Message:
2005-11-28 Christophe Fergeau <[EMAIL PROTECTED]>
* src/itdb_artwork.c: (unpack_RGB_565), (get_pixel_data):
* src/itdb_itunesdb.c: (get_mhod):
* src/ithumb-writer.c: (pack_RGB_565),
(ithumb_rearrange_thumbnail_file): added some paranoia checks before
doing some mallocs to prevent potential int overflows in some mallocs
which could be triggered by using forged iTunesDB files
Index: itdb_artwork.c
===================================================================
RCS file: /cvsroot/gtkpod/libgpod/src/itdb_artwork.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- itdb_artwork.c 28 Nov 2005 16:20:40 -0000 1.1
+++ itdb_artwork.c 28 Nov 2005 19:44:33 -0000 1.2
@@ -217,6 +217,7 @@
guchar *result;
guint i;
+ g_assert (bytes_len < 2*(G_MAXUINT/3));
result = g_malloc ((bytes_len/2) * 3);
if (result == NULL) {
return NULL;
@@ -251,6 +252,9 @@
g_return_val_if_fail (thumb, NULL);
g_return_val_if_fail (thumb->filename, NULL);
+ /* thumb->size is read as a guint32 from the iPod, so no overflow
+ * can occur here
+ */
result = g_malloc (thumb->size);
filename = itdb_thumb_get_filename (device, thumb);
Index: itdb_itunesdb.c
===================================================================
RCS file: /cvsroot/gtkpod/libgpod/src/itdb_itunesdb.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -d -r1.34 -r1.35
--- itdb_itunesdb.c 28 Nov 2005 16:20:40 -0000 1.34
+++ itdb_itunesdb.c 28 Nov 2005 19:44:33 -0000 1.35
@@ -1020,6 +1020,7 @@
case MHOD_ID_SUBTITLE:
xl = get32lint (cts, seek+4); /* length of string */
if (cts->error) return result; /* *ml==-1, result.valid==FALSE */
+ g_assert (xl < G_MAXUINT - 2);
entry_utf16 = g_new0 (gunichar2, (xl+2)/2);
if (seek_get_n_bytes (cts, (gchar *)entry_utf16, seek+16, xl))
{
@@ -1039,6 +1040,7 @@
/* length of string */
xl = mhod_len - header_length;
if (cts->error) return result; /* *ml==-1, result.valid==FALSE */
+ g_assert (xl < G_MAXUINT - 1);
result.data.string = g_new0 (gchar, xl+1);
if (!seek_get_n_bytes (cts, result.data.string, seek, xl))
{
@@ -1100,6 +1102,7 @@
splr->action = get32bint (cts, seek+4);
seek += 52;
length = get32bint (cts, seek);
+ g_assert (length < G_MAXUINT-2);
if (itdb_spl_action_known (splr->action))
{
gint ft = itdb_splr_get_field_type (splr);
Index: ithumb-writer.c
===================================================================
RCS file: /cvsroot/gtkpod/libgpod/src/ithumb-writer.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- ithumb-writer.c 28 Nov 2005 16:20:40 -0000 1.6
+++ ithumb-writer.c 28 Nov 2005 19:44:33 -0000 1.7
@@ -71,6 +71,10 @@
"height", &height, "width", &width,
"pixels", &pixels, NULL);
g_return_val_if_fail ((width <= dst_width) && (height <= dst_height),
NULL);
+ /* dst_width and dst_height come from a width/height database
+ * hardcoded in libipoddevice code, so dst_width * dst_height * 2 can't
+ * overflow, even on an iPod containing malicious data
+ */
result = g_malloc0 (dst_width * dst_height * 2);
for (h = 0; h < height; h++) {
@@ -350,6 +354,10 @@
/* Sort the list of thumbs according to img->offset */
thumbs = g_list_sort (thumbs, offset_sort);
+ /* size is either a value coming from a hardcoded const array from
+ * libipoddevice, or a guint32 read from an iPod file, so no overflow
+ * can occur here
+ */
buf = g_malloc (size);
for (i=0; i<tn_num; ++i)
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
gtkpod-cvs2 mailing list
gtkpod-cvs2@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gtkpod-cvs2
