libdvdread core dumps with invalid next size
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libdvdread (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Natty |
Won't Fix
|
Undecided
|
Unassigned | ||
Oneiric |
Won't Fix
|
High
|
Vibhav Pant |
Bug Description
SRU Request:
Impact: Oneiric cannot read certain dvds, including "The Express".
Development fix: This is fixed in Precise with the minimal patch provided in this bug.
Stable fix: An identical minimal patch has been applied to the Oneiric package
Test Case: Unfortunately, someone needs to try playing the "The Express" DVD to test this updated package
Regression potential: Although unlikely, this patch may prevent other DVDs from playing, in which case the patch can be backed out.
Description: Ubuntu 11.04
Release: 11.04
When reading dvd 'The Express' via dvdbackup -I, I get a core dump:
*** glibc detected *** dvdbackup: free(): invalid next size (normal): 0x0000000002ccef70 ***
Using Valgrind, I was able to track down the culprit, in the file ifo_read.c, function ifoRead_TT_SRPT, where a structure array is allocated, but another variable, extracted from the DVD info determines the lenght of the array, resulting in read/writes beyond the array. I truncate the read, but perhaps a better solution would be to expand the malloc to include the data off the DVD. I believe that, however could lead to out of memory errors if the DVD data was bad/invalid.
With the applied patch, dvdbackup no longer segfaults.
Changed in libdvdread (Ubuntu): | |
importance: | Undecided → High |
status: | New → Triaged |
description: | updated |
description: | updated |
Changed in libdvdread (Ubuntu Natty): | |
status: | New → Won't Fix |
Changed in libdvdread (Ubuntu Oneiric): | |
status: | Confirmed → Fix Committed |
importance: | Undecided → High |
tags: | added: removal-candidate |
The attachment "Fix out of array pointer access." of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.
[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]