Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Frobozz]

Is there any validation or cleanup done on uploaded cover art images to make sure they aren't malformed in some way?

I just tried using iTunes to get a few cover art images.  iTunes saves the cover images as itc2 files.  The itc2 files appeared to be jpg files with a different extension.  I renamed the itc2 files to jpg and added them to my library.  oops.  Turns out itc2 files are not proper jpg files.  Apple added info at the beginning of the file before the jpg header.  I stripped away that extra info and then added the proper jpg files to my library.

The malformed jpg files that I first uploaded are still in the online cover art library.  I can imagine some potential problems in allowing malformed image files in the online cover art library.  Someone with evil intent might possibly be able to take advantage of that to distribute images that cause problems.  Some input validation on the server might be warranted.  In the case of itc2 files masquerading as jpg it would be stripping away anything before the jpg header.  Running jpg files through a lossless jpg optimization/cleanup would also be good way of verifying proper jpg files.

[JimH]

The cover art system is based on "votes".  Each time someone chooses an image (from several), the image gets a vote.  Eventually good images rise to the top and bad ones go to the bottom and disappear.

[Frobozz]

The voting system won't catch it if the image appears to be normal.

One of the malformed images I uploaded is:
Stanley Clarke
Live At The Greek

There are two 600x600 images there.  One has a slightly larger file size than the other.  The larger one has junk before the jpg header.  Both display in MC and look normal.  The only way to know something is wrong with the file would be to download it and look at it in a hex editor.

I noticed that the itc2 files weren't proper jpg files when Windows File Explorer wasn't making thumbnails for them.  Then I looked into finding out why.

A malformed jpg like that doesn't seem to be a problem in MC.  It displays fine.  But it could be a potential problem for some image viewers and some portable mp3 players that may not identify the file as a jpg image.  For example, Windows Explorer wasn't making thumbnails for them.

[JimH]

Closing this thread now.  Please do your homework if you want to raise the issue of malware.  It requires a vulnerability in the software opening the file.

jpg attacks have been around for three or four years.  I know of no problems with MC in this regard.  If you want to discuss or learn, please use another forum.