Ubuntu

libdvdread core dumps with invalid next size

Reported by rickyrockrat on 2011-11-23
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libdvdread (Ubuntu)
High
Unassigned
Natty
Undecided
Unassigned
Oneiric
High
Vibhav Pant

Bug Description

SRU Request:

Impact: Oneiric cannot read certain dvds, including "The Express".

Development fix: This is fixed in Precise with the minimal patch provided in this bug.

Stable fix: An identical minimal patch has been applied to the Oneiric package

Test Case: Unfortunately, someone needs to try playing the "The Express" DVD to test this updated package

Regression potential: Although unlikely, this patch may prevent other DVDs from playing, in which case the patch can be backed out.

Description: Ubuntu 11.04
Release: 11.04

When reading dvd 'The Express' via dvdbackup -I, I get a core dump:
*** glibc detected *** dvdbackup: free(): invalid next size (normal): 0x0000000002ccef70 ***

Using Valgrind, I was able to track down the culprit, in the file ifo_read.c, function ifoRead_TT_SRPT, where a structure array is allocated, but another variable, extracted from the DVD info determines the lenght of the array, resulting in read/writes beyond the array. I truncate the read, but perhaps a better solution would be to expand the malloc to include the data off the DVD. I believe that, however could lead to out of memory errors if the DVD data was bad/invalid.

With the applied patch, dvdbackup no longer segfaults.

rickyrockrat (rickyrockrat) wrote :

The attachment "Fix out of array pointer access." of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Bryce Harrington (bryce) on 2011-12-08
Changed in libdvdread (Ubuntu):
importance: Undecided → High
status: New → Triaged
Bryce Harrington (bryce) wrote :

Confirmed that "The Express" segfaults with this error message:

libdvdread: Elapsed time 0
dvdbackup: malloc.c:3096: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.

Bryce Harrington (bryce) wrote :

Full log of a failed dvdbackup run

rickyrockrat (rickyrockrat) wrote :

Just wanted to note that this segfault happens with this patch in place:

https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/852345

And without it (i.e. in Lucid), I don't get the segfault - but of course Thor doesn't play there.

I think it's like peeling an onion. As the top bugs are exposed and fixed, more are revealed. There are more issues in libdvdread that valgrind complained about, but I didn't have time to investigate all of them. I hope to eventually...

Bryce Harrington (bryce) wrote :

With the patch applied, the dvdbackup run produced a successful backup.

However, I got a bunch of read errors, and the size of the backup image took longer than it should have; I had to interrupt it early, and noted the size of the image was abnormally large. However, it played properly, so count it a success.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libdvdread - 4.2.0-1ubuntu3

---------------
libdvdread (4.2.0-1ubuntu3) precise; urgency=low

  * Add 103-iforead-tt-srpt-pointerfix.patch: Fix read/write beyond end of
    an array due to using a length value taken from the DVD, which can
    exceed the allocated size, causing a segmentation fault.
    (LP: #894170)
 -- Bryce Harrington <email address hidden> Tue, 13 Dec 2011 21:25:05 -0800

Changed in libdvdread (Ubuntu):
status: Triaged → Fix Released
Bryce Harrington (bryce) wrote :

rickyrockrat, yeah I tested against 4.2.0 which also includes a fix for Thor, but implemented differently than the patch we put in Ubuntu. That could be why the error I saw was so different than what you saw. Still, the DVD segfaulted for me as it had for you, and your patch (with a couple tweaks) made it not crash. I would agree with you that there's more work needed, and an onion is a good analogy.

I've forwarded the patch upstream and will follow up on any improvements they can suggest. I'd encourage you to join the list if you'd be interested because it sounds like you could add a lot of value to the onion peeling efforts. Here's a link to the mailing list:

http://lists.mplayerhq.hu/mailman/listinfo/dvdnav-discuss

rickyrockrat (rickyrockrat) wrote :

Trouble is, I get too much mail as it is. I'll just continue to carry on as I have - I get 2 new movies a week, so I go through a pretty fair selection of trouble makers, and so far, I've got a good system that uses a script that uses a combination of things - HandbrakeCLI,mplayer, vlc, vobcopy, ddrescue, and dvdbackup, though I primarily use mplayer & Handbrake - the former to rip, the latter to find the correct title - all just to watch a stupid movie. I'm considering releasing it on sourceforge - but it's an awful effort to get all the source patched and built, which has to be done or the script doesn't do much. So I'd have to do a build system, which takes time and is painful. Though I guess if I released i386 and amd64 debs, it would get the majority of the crowd.

I never would have gone down this path if those idiots hadn't pissed me off several times when I had to spend a couple hours trying to just play a movie I legally rented, so now I fix every glitch I discover, and make sure someone gets the patch for the world at large. It's astounding at how devious and fruitless their efforts are - and I will continue to fight with my vote and my code, but truly, I've got to have a mis-behaving movie, and I haven't come across one since this last fix, so not sure what being on the mailing list would do us - besides filling my inbox. I don't have time right now to go rent troublesome movies, so I think this mode will work for now. Besides, I've seen patches on mplayerhq that sat there for months, with various people wondering why they bothered. I know this is a pain for you, since you have to maintain the package, and it would be easier to submit to *hq, but maybe we're good for a bit - until the next desperate, brain dead attempt surfaces.

Vibhav Pant (vibhavp) wrote :
Changed in libdvdread (Ubuntu Oneiric):
assignee: nobody → Vibhav Pant (vibhavp)
Tyler Hicks (tyhicks) wrote :

Hi Vibhav - Thanks for the debdiff! Unfortunately, there are a few issues. I don't think you truly meant to subscribe ubuntu-security-sponsors, since you targeted the oneiric-proposed pocket. If you did intend for this to go to the security pocket, use oneiric-security in the changelog. Otherwise, you probably wanted to subscribe ubuntu-sponsors.

Either way, there is a bigger problem here. 103-iforead-tt-srpt-pointerfix.patch didn't make it into the debdiff. The series file is updated, but the contents of the pointerfix patch do not exist in the debdiff.

Unsubscribing ubuntu-security-sponsors.

Changed in libdvdread (Ubuntu Oneiric):
status: New → Invalid
status: Invalid → Incomplete
Vibhav Pant (vibhavp) wrote :

Thanks for the notfication Tyler, will upload a revised debdiff soon.

Vibhav Pant (vibhavp) wrote :
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff. I've prepared a package using it, with a few minor adjustments:
- You didn't specify the correct path for the patch in the changelog
- You didn't wrap lines in the changelog
- You applied the fix inline in addition to having it in the patch system.

I've uploaded the package to -proposed to await processing by the SRU team.

Marc Deslauriers (mdeslaur) wrote :

SRU Request:

Impact: Oneiric cannot read certain dvds, including "The Express".

Development fix: This is fixed in Precise with the minimal patch provided in this bug.

Stable fix: An identical minimal patch has been applied to the Oneiric package

Test Case: Unfortunately, someone needs to try playing the "The Express" DVD to test this updated package

Regression potential: Although unlikely, this patch may prevent other DVDs from playing, in which case the patch can be backed out.

Changed in libdvdread (Ubuntu Oneiric):
status: Incomplete → Confirmed
Bryce Harrington (bryce) on 2012-05-17
description: updated
Bryce Harrington (bryce) on 2012-05-17
description: updated
Changed in libdvdread (Ubuntu Natty):
status: New → Won't Fix
Changed in libdvdread (Ubuntu Oneiric):
status: Confirmed → Fix Committed
importance: Undecided → High
Bryce Harrington (bryce) wrote :

@ricky, huh didn't see your comment #9 until now.

Totally understand not wanting to be on too many lists (I feel the same). However I've found this one to be reasonable (couple emails a week). In any case I don't really mind forwarding patches there myself and so can take care of that end.

If you're ever looking for other troublesome movies to work on you can just look at the bugs that have been filed:
https://bugs.launchpad.net/ubuntu/+source/libdvdread/

For instance https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/377414 appears to affect a lot of mainstream movies. https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/590983 is another common one.

Anyway, looks like the sru for oneiric has already been uploaded. natty is pretty long in the tooth so not really worth SRUing that. So I'm going to close out this bug. Thanks everyone.

rickyrockrat (rickyrockrat) wrote :

Bryce, I've been running 2-4 different DVDs a week, and I haven't had an issue since I fixed this little problem. Now that I said that, I'll start having problems!

I wonder if this fixes those other bugs?

Hello rickyrockrat, or anyone else affected,

Accepted libdvdread into oneiric-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed

The fix for the this bug has been awaiting testing feedback in the -proposed repository for oneiric for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now the package will be removed from the -proposed repository.

tags: added: removal-candidate
rickyrockrat (rickyrockrat) wrote :

So where does this leave the patch? I'm not running oneric.
Does this make precise or does a new bug report need to be created on precise? I will have precise installed here shortly and can have a look at it then. Just not sure where it goes from here. I'm willing to re-rent the movie and check it again, however if I need to repeat the process with precise, then I'll file and wait for verification-needed state there before renting.

Thanks.

Scott Kitterman (kitterman) wrote :

The fix has already been applied in precise. See https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/894170/comments/7. This is just about getting the fix in oneiric.

Brian Murray (brian-murray) wrote :

The version of libdvdread in oneiric-proposed has been removed as this bug report was not verified in a timely fashion.

tags: removed: verification-needed
tags: removed: removal-candidate
Changed in libdvdread (Ubuntu Oneiric):
status: Fix Committed → Triaged
Bryce Harrington (bryce) wrote :

The patch was accepted upstream as is.

I'm guessing no one cares about having the fix in oneiric at this point (I don't). Having it fixed in Precise seems sufficient.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers