[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libcdio-devel] buffer overflow/memory corruption in udf_readdir()
From: |
Pete Batard |
Subject: |
Re: [Libcdio-devel] buffer overflow/memory corruption in udf_readdir() |
Date: |
Tue, 17 Jan 2012 17:04:08 +0000 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 |
On 2012.01.17 15:43, Rocky Bernstein wrote:
Oh, I forgot to ask -- are we sure this is a bug in libcdio? It is possible
that it was valid at the time it was written for an earlier UDF standard.
Well, the first thing is that the reuse of udf_dirent_t on memcopy
without checking the size looks a bit dodgy to me.
Then, nearly all of the UDF images I tried from the MSDN (about 4 of 5
of them) manifested the issue, so either Microsoft has a really buggy
UDF image creation software, or libcdio has a bug. Also there should not
be any form of copy protection on these images, as they are of course
intended for internal replication and usage by MSDN subscribers.
I also believe that these are 1:1 copies of the actual UDF installation
media that Microsoft sells to individual customers, so if it deviates
too much from the standard, they would probably get reports.
Therefore, my bet would be on a libcdio bug.
A while back there was a UDF checker I think it was available from Sony
that dumped out UDF information and said whether something was valid UDF.
I'd be interested in knowing if what you are testing passes a UDF checker.
(A google search on UDF checkers seems to indicate there are a number
available for MS Windows).
Good idea.
I downloaded the UDF Verifier Software from Philips (see the notes at
end of [1]. Registration required, but it comes as a
Linux/OSX/Win/Solaris source. On Windows, it might also require
wnaspi32.dll which one can get from [2]).
The tool generates a huge log with the Windows 8 preview UDF image, but
the only error I got was the following:
====> Testing uniqueness of relevant UniqueIDs.
Error: 2 files or directories with identical UniqueID, UDF 3.2.1.1.
- #0000000000000078 /"sources"/"noupgrade.txt"
- #0000000000000078 /"sources"/"peerdistai.dll"
Now, because our issue is with the udf_dirent, I don't think that having
2 files with the same UID is the cause, especially as I don't expect
these files to be responsible from reading a different directory LBA.
Also, I got more than one mismatch with that image and I also didn't get
this error on other images with the same problems.
> And I don't mind helping out in little ways. But others have to take
> the lead on this, especially as I have no personal interest or need
> for UDF support.
Understood.
Regards,
/Pete
[1] http://homepage.mac.com/wenguangwang/myhome/udf.html
[2] http://www.frogaspi.org/download.htm#frogaspi