Opened 12 years ago

Closed 12 years ago

#845 closed defect (fixed)

Stack overrun in libdvdcss/libdvdcss.c:dvdcss_open

Reported by: mwelinder@… Owned by: reimar
Priority: normal Component: core
Version: HEAD Severity: normal
Keywords: Cc: reimar, wintermute_77@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

In the code below, "16 + 1" is nowhere near enough if "char" is signed.
In my case, I get 05fffffffbffffffbb0005fffffffc0400. Consequently,
the stack is overrun.

Suggestion: cast psz_serial[0] etc. to unsigned char.

/* Check that all characters are digits, otherwise convert. */
for( i = 0 ; i < 16 ; i++ )
{

if( psz_serial[i] < '0'
psz_serial[i] > '9' )

{

char psz_tmp[16 + 1];
sprintf( psz_tmp,

"%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x",
psz_serial[0], psz_serial[1], psz_serial[2],
psz_serial[3], psz_serial[4], psz_serial[5],
psz_serial[6], psz_serial[7] );

memcpy( psz_serial, psz_tmp, 16 );
break;

}

}

Change History (4)

comment:1 Changed 12 years ago by reimar

  • Cc Reimar.Doeffinger@… added

Please report this to libdvdcss upstream (libdvdcss@…).
IMO casting is not really the right solution, using the PRIx8 define instead of "x" should be better.

comment:2 Changed 12 years ago by mwelinder@…

Reported upstream, although I notice that the last entry in their ChangeLog?
was in 2005.

comment:3 Changed 12 years ago by ikalvachev@…

  • Cc wintermute_77@… added

* Bug 860 has been marked as a duplicate of this bug. *

comment:4 Changed 12 years ago by ikalvachev@…

  • Resolution set to fixed
  • Status changed from new to closed

committed fix that changes the type to unsigned

Note: See TracTickets for help on using tickets.