Opened 17 years ago
Closed 17 years ago
#845 closed defect (fixed)
Stack overrun in libdvdcss/libdvdcss.c:dvdcss_open
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | normal | Component: | core |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | reimar, wintermute_77@… | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
In the code below, "16 + 1" is nowhere near enough if "char" is signed.
In my case, I get 05fffffffbffffffbb0005fffffffc0400. Consequently,
the stack is overrun.
Suggestion: cast psz_serial[0] etc. to unsigned char.
/* Check that all characters are digits, otherwise convert. */
for( i = 0 ; i < 16 ; i++ )
{
if( psz_serial[i] < '0' psz_serial[i] > '9' ) {
char psz_tmp[16 + 1];
sprintf( psz_tmp,
"%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x",
psz_serial[0], psz_serial[1], psz_serial[2],
psz_serial[3], psz_serial[4], psz_serial[5],
psz_serial[6], psz_serial[7] );
memcpy( psz_serial, psz_tmp, 16 );
break;
}
}
Change History (4)
comment:1 by , 17 years ago
| Cc: | added |
|---|
comment:2 by , 17 years ago
Reported upstream, although I notice that the last entry in their ChangeLog
was in 2005.
comment:4 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
committed fix that changes the type to unsigned
Note:
See TracTickets
for help on using tickets.
Please report this to libdvdcss upstream (libdvdcss@…).
IMO casting is not really the right solution, using the PRIx8 define instead of "x" should be better.