[MPlayer-cvslog] r23727 - trunk/libdvdcss/libdvdcss.c
Ivan Kalvachev
ikalvachev at gmail.com
Sat Aug 30 18:59:03 CEST 2008
On 8/29/08, Diego Biurrun <diego at biurrun.de> wrote:
> On Sat, Jul 07, 2007 at 12:07:36AM +0200, reimar wrote:
>>
>> Log:
>> Fix CSS format strings, they could print more than two digits for
>> "negative" numbers.
>
> This was rejected by Sam Hocevar on libdvdcss-devel:
>
> As discussed on IRC, a fix for this issue was actually already in
> trunk. I do not feel the need to switch to PRIx8 conversions because
> arguments smaller than int will be promoted with the expected sign
> extension anyway (C standard 6.5.2.3p7 for variadic function rules,
> 6.3.1.1 for integer promotion).
>
> So I'm backing this out with the libdvdcss sync (1.2.10 has just been
> released).
That's nonsense.
This is like removing car belts because the car is equipped with air bags.
The problem is in the sign extension. If it is negative you get
0xffffffff, the 0.2 format require to have at least 2 digits, but it
allows to have more than 2, if negative it would be 6 symbols. That
causes write after the end of the array and stack corruption.
Indeed making the array unsigned is enough to prevent the sign extension,
but you can never be too cautious with sprintf.
More information about the MPlayer-cvslog
mailing list