1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
|
/* Copyright © 2013 Canonical Limited
*
* SPDX-License-Identifier: LGPL-2.1-or-later
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General
* Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
*
* Author: Ryan Lortie <desrt@desrt.ca>
*/
#include "config.h"
#include "thumbnail-verify.h"
#include <string.h>
/* Begin code to check the validity of thumbnail files. In order to do
* that we need to parse enough PNG in order to get the Thumb::URI,
* Thumb::MTime and Thumb::Size tags out of the file. Fortunately this
* is relatively easy.
*/
typedef struct
{
const gchar *uri;
guint64 mtime;
guint64 size;
} ExpectedInfo;
/* We *require* matches on URI and MTime, but the Size field is optional
* (as per the spec).
*
* http://specifications.freedesktop.org/thumbnail-spec/thumbnail-spec-latest.html
*/
#define MATCHED_URI (1u << 0)
#define MATCHED_MTIME (1u << 1)
#define MATCHED_ALL (MATCHED_URI | MATCHED_MTIME)
static gboolean
check_integer_match (guint64 expected,
const gchar *value,
guint32 value_size)
{
/* Would be nice to g_ascii_strtoll here, but we don't have a variant
* that works on strings that are not nul-terminated.
*
* It's easy enough to do it ourselves...
*/
if (expected == 0) /* special case: "0" */
return value_size == 1 && value[0] == '0';
/* Check each digit, as long as we have data from both */
while (expected && value_size)
{
/* Check the low-order digit */
if (value[value_size - 1] != (gchar) ((expected % 10) + '0'))
return FALSE;
/* Move on... */
expected /= 10;
value_size--;
}
/* Make sure nothing is left over, on either side */
return !expected && !value_size;
}
static gboolean
check_png_info_chunk (ExpectedInfo *expected_info,
const gchar *key,
guint32 key_size,
const gchar *value,
guint32 value_size,
guint *required_matches)
{
if (key_size == 10 && memcmp (key, "Thumb::URI", 10) == 0)
{
gsize expected_size;
expected_size = strlen (expected_info->uri);
if (expected_size != value_size)
return FALSE;
if (memcmp (expected_info->uri, value, value_size) != 0)
return FALSE;
*required_matches |= MATCHED_URI;
}
else if (key_size == 12 && memcmp (key, "Thumb::MTime", 12) == 0)
{
if (!check_integer_match (expected_info->mtime, value, value_size))
return FALSE;
*required_matches |= MATCHED_MTIME;
}
else if (key_size == 11 && memcmp (key, "Thumb::Size", 11) == 0)
{
/* A match on Thumb::Size is not required for success, but if we
* find this optional field and it's wrong, we should reject the
* thumbnail.
*/
if (!check_integer_match (expected_info->size, value, value_size))
return FALSE;
}
return TRUE;
}
static gboolean
check_thumbnail_validity (ExpectedInfo *expected_info,
const gchar *contents,
gsize size)
{
guint required_matches = 0;
/* Reference: http://www.w3.org/TR/PNG/ */
if (size < 8)
return FALSE;
if (memcmp (contents, "\x89PNG\r\n\x1a\n", 8) != 0)
return FALSE;
contents += 8, size -= 8;
/* We need at least 12 bytes to have a chunk... */
while (size >= 12)
{
guint32 chunk_size_be;
guint32 chunk_size;
/* PNG is not an aligned file format so we have to be careful
* about reading integers...
*/
memcpy (&chunk_size_be, contents, 4);
chunk_size = GUINT32_FROM_BE (chunk_size_be);
contents += 4, size -= 4;
/* After consuming the size field, we need to have enough bytes
* for 4 bytes type field, chunk_size bytes for data, then 4 byte
* for CRC (which we ignore)
*
* We just read chunk_size from the file, so it may be very large.
* Make sure it won't wrap when we add 8 to it.
*/
if (G_MAXUINT32 - chunk_size < 8 || size < chunk_size + 8)
goto out;
/* We are only interested in tEXt fields */
if (memcmp (contents, "tEXt", 4) == 0)
{
const gchar *key = contents + 4;
guint32 key_size;
/* We need to find the nul separator character that splits the
* key/value. The value is not terminated.
*
* If we find no nul then we just ignore the field.
*
* value may contain extra nuls, but check_png_info_chunk()
* can handle that.
*/
for (key_size = 0; key_size < chunk_size; key_size++)
{
if (key[key_size] == '\0')
{
const gchar *value;
guint32 value_size;
/* Since key_size < chunk_size, value_size is
* definitely non-negative.
*/
value_size = chunk_size - key_size - 1;
value = key + key_size + 1;
/* We found the separator character. */
if (!check_png_info_chunk (expected_info,
key, key_size,
value, value_size,
&required_matches))
return FALSE;
}
}
}
else
{
/* A bit of a hack: assume that all tEXt chunks will appear
* together. Therefore, if we have already seen both required
* fields and then see a non-tEXt chunk then we can assume we
* are done.
*
* The common case is that the tEXt chunks come at the start
* of the file before any of the image data. This trick means
* that we will only fault in a single page (4k) whereas many
* thumbnails (particularly the large ones) can approach 100k
* in size.
*/
if (required_matches == MATCHED_ALL)
goto out;
}
/* skip to the next chunk, ignoring CRC. */
contents += 4, size -= 4; /* type field */
contents += chunk_size, size -= chunk_size; /* data */
contents += 4, size -= 4; /* CRC */
}
out:
return required_matches == MATCHED_ALL;
}
gboolean
thumbnail_verify (const char *thumbnail_path,
const gchar *file_uri,
const GLocalFileStat *file_stat_buf)
{
gboolean thumbnail_is_valid = FALSE;
ExpectedInfo expected_info;
GMappedFile *file;
if (file_stat_buf == NULL)
return FALSE;
expected_info.uri = file_uri;
#ifdef G_OS_WIN32
expected_info.mtime = (guint64) file_stat_buf->st_mtim.tv_sec;
#else
expected_info.mtime = _g_stat_mtime (file_stat_buf);
#endif
expected_info.size = _g_stat_size (file_stat_buf);
file = g_mapped_file_new (thumbnail_path, FALSE, NULL);
if (file)
{
thumbnail_is_valid = check_thumbnail_validity (&expected_info,
g_mapped_file_get_contents (file),
g_mapped_file_get_length (file));
g_mapped_file_unref (file);
}
return thumbnail_is_valid;
}
|
