[Bug 894170] Re: libdvdread core dumps with invalid next size

Thu May 17 04:26:59 UTC 2012

** Description changed:

- On 
+ [Impact]
+ <fill me in with explanation of severity and frequency of bug on users and justification for backporting the fix to the stable release>
+ 
+ [Development Fix]
+ <fill me in with an explanation of how the bug has been addressed in the development branch, including the relevant version numbers of packages modified in order to implement the fix. >
+ 
+ [Stable Fix]
+ <fill me in by pointing out a minimal patch applicable to the stable version of the package.>
+ 
+ [Text Case]
+ <fill me in with detailed *instructions* on how to reproduce the bug.  This will be used by people later on to verify the updated package fixes the problem.>
+ 1.
+ 2.
+ 3.
+ Broken Behavior: 
+ Fixed Behavior: 
+ 
+ [Regression Potential]
+ <fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.>
+ 
+ [Original Report]On
  Description:    Ubuntu 11.04
  Release:        11.04

  When reading dvd 'The Express' via dvdbackup -I, I get a core dump:
  *** glibc detected *** dvdbackup: free(): invalid next size (normal): 0x0000000002ccef70 ***

  Using Valgrind, I was able to track down the culprit, in the file
  ifo_read.c, function ifoRead_TT_SRPT, where a structure array is
  allocated, but another variable, extracted from the DVD info determines
  the lenght of the array, resulting in read/writes beyond the array. I
  truncate the read, but perhaps a better solution would be to expand the
  malloc to include the data off the DVD. I believe that, however could
  lead to out of memory errors if the DVD data was bad/invalid.

  With the applied patch, dvdbackup no longer segfaults.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/894170

Title:
  libdvdread core dumps with invalid next size

Status in “libdvdread” package in Ubuntu:
  Fix Released
Status in “libdvdread” source package in Natty:
  New
Status in “libdvdread” source package in Oneiric:
  Confirmed

Bug description:
  [Impact]
  <fill me in with explanation of severity and frequency of bug on users and justification for backporting the fix to the stable release>

  [Development Fix]
  <fill me in with an explanation of how the bug has been addressed in the development branch, including the relevant version numbers of packages modified in order to implement the fix. >

  [Stable Fix]
  <fill me in by pointing out a minimal patch applicable to the stable version of the package.>

  [Text Case]
  <fill me in with detailed *instructions* on how to reproduce the bug.  This will be used by people later on to verify the updated package fixes the problem.>
  1.
  2.
  3.
  Broken Behavior: 
  Fixed Behavior: 

  [Regression Potential]
  <fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.>

  [Original Report]On
  Description:    Ubuntu 11.04
  Release:        11.04

  When reading dvd 'The Express' via dvdbackup -I, I get a core dump:
  *** glibc detected *** dvdbackup: free(): invalid next size (normal): 0x0000000002ccef70 ***

  Using Valgrind, I was able to track down the culprit, in the file
  ifo_read.c, function ifoRead_TT_SRPT, where a structure array is
  allocated, but another variable, extracted from the DVD info
  determines the lenght of the array, resulting in read/writes beyond
  the array. I truncate the read, but perhaps a better solution would be
  to expand the malloc to include the data off the DVD. I believe that,
  however could lead to out of memory errors if the DVD data was
  bad/invalid.

  With the applied patch, dvdbackup no longer segfaults.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/894170/+subscriptions