ref: e0eb585a2591c45c3198c97a8fbd2ae1e4e85eea
parent: 191f02b68793cff37fa3908098208d9a5421e52b
author: Ivan Kalvachev <ikalvachev@gmail.com>
date: Sun Jul 29 06:14:53 EDT 2007
Fix crash on some DVDs sprintf(tmp,"%.02x",(char)0xef); would print "ffffffef" instead of "ef" in this case this leads to local array buffer overflow and hard to trace stack corruption. The quick, easy & dirty solution is to use (unsigned char) or (uint8_t)
--- a/src/libdvdcss.c
+++ b/src/libdvdcss.c
@@ -404,7 +404,8 @@
uint8_t p_sector[DVDCSS_BLOCK_SIZE];
char psz_debug[PATH_MAX + 30];
char psz_key[1 + KEY_SIZE * 2 + 1];
- char *psz_title, *psz_serial;
+ char *psz_title;
+ uint8_t *psz_serial;
int i;
/* We read sector 0. If it starts with 0x000001ba (BE), we are
@@ -462,7 +463,7 @@
}
/* Get the date + serial */
- psz_serial = (char *)p_sector + 813;
+ psz_serial = p_sector + 813;
psz_serial[16] = '\0';
/* Check that all characters are digits, otherwise convert. */
@@ -794,4 +795,5 @@
{return _dvdcss_title( dvdcss, i_block );
}
+