search

beandog / dvd_info

Linux/BSD/Cygwin DVD utilities - dvd_info, dvd_copy, dvd_backup, dvd_player, dvd_rip, dvd_drive_status
http://dvds.beandog.org
GNU General Public License v2.0
22 stars 4 forks source link

Buffer Overflow in 'dvd_dvdread_id' Function While Converting DVD ID to Hexadecimal #12

Open yzu1103309 opened 1 week ago

yzu1103309 commented 1 week ago

Hi,

Firstly, I want to thank you for all the hard work you've done on this project. Both bluray_info and dvd_info are really handy tools in Linux!

Issue

When I built and ran dvd_info on my system today, I encountered this problem:

*** buffer overflow detected ***: terminated

Several programs seems not working properly, except for dvd_player.

Using gdb to trace the issue, I found that the overflow occurs in the function dvd_dvdread_id in dvd_vmg_ifo.c:

bool dvd_dvdread_id(char *dest_str, dvd_reader_t *dvdread_dvd) {

    int dvdread_retval = 0;
    uint8_t dvdread_ifo_md5[16] = {0};
    char dvdread_id[DVD_DVDREAD_ID + 1] = {'\0'};
    unsigned long x = 0;

    const int a = DVD_DVDREAD_ID;

    // DVDDiscID will open the VMG IFO
    dvdread_retval = DVDDiscID(dvdread_dvd, dvdread_ifo_md5);
    if(dvdread_retval == -1)
        return false;

     for(x = 0; x < (DVD_DVDREAD_ID / 2); x++)
        snprintf(&dvdread_id[x * 2], DVD_DVDREAD_ID + 1, "%02x", dvdread_ifo_md5[x]);

    strncpy(dest_str, dvdread_id, DVD_DVDREAD_ID);

    return true;
}

The size of dvdread_id is only DVD_DVDREAD_ID + 1, but snprintf() is called with specified size of DVD_DVDREAD_ID + 1 in each iteration of the loop. When x >= 1, this causes a buffer overflow.

Changing the code to the following fixes the issue:

snprintf(&dvdread_id[x * 2], 3, "%02x", dvdread_ifo_md5[x]);

This resolves the issue by limiting the size to 3 per iteration.

After modifying the code, everything works fine on my system. image

OS: KDE neon 6.2 (based on Ubuntu 24.04) gcc version: 13.2.0 libdvdread-dev: 6.1.3-1.1build1

Thanks again for creating these amazing programs!

Update

I tried the original code on another Ubuntu 20.04 machine with gcc 9.4.0, and there was no issue. I'm not sure if this problem was caused by changes in the C standard library implementation?

beandog commented 1 day ago

I've got Mint Linux on mine, and everytime I even run anything, it segfaults immediately. I haven't had any luck tracking it down yet.

I would recommend compiling it with clang and see if that fixes it. I realize that's not a solution, but I'm curious if that could work.

beandog commented 1 day ago

For getting the dvdread id, I used the same approach that lsdvd did. I honestly don't quite understand what it's doing. If you wanna try that app and see if it crashes as well, that'd be good to know.

I'll look into it though.