[libdvdcss-devel] [PATCH 09/12] css: Sanity check index before accessing BigTable

Jean-Baptiste Kempf jb at videolan.org
Tue Nov 11 14:38:48 CET 2014 

OK.

On 11 Nov, Diego Biurrun wrote :
> This prevents possible out-of-bounds accesses from CID 75515 and 77193.
> ---
>  src/css.c | 21 ++++++++++++++++++---
>  1 file changed, 18 insertions(+), 3 deletions(-)
> 
> diff --git a/src/css.c b/src/css.c
> index d5585ce..ca9e0a4 100644
> --- a/src/css.c
> +++ b/src/css.c
> @@ -1164,7 +1164,7 @@ static int CrackDiscKey( dvdcss_t dvdcss, uint8_t *p_disc_key )
>      unsigned int lfsr1a;                /* upper 9 bits of LFSR1 */
>      unsigned int lfsr1b;                /* lower 8 bits of LFSR1 */
>      unsigned int tmp, tmp2, tmp3, tmp4,tmp5;
> -    int i,j;
> +    int i, j, ret = 0;
>      unsigned int nStepA;        /* iterator for LFSR1 start state */
>      unsigned int nStepB;        /* iterator for possible B[0]     */
>      unsigned int nTry;          /* iterator for K[1] possibilities */
> @@ -1233,6 +1233,11 @@ static int CrackDiscKey( dvdcss_t dvdcss, uint8_t *p_disc_key )
>          }
>  
>          j = ( out2[0] << 16 ) | ( out2[1] << 8 ) | out2[4];
> +        if ( j >= BIGTABLESIZE )
> +        {
> +            ret = -1;
> +            goto error;
> +        }
>          BigTable[j] = i;
>      }
>  
> @@ -1288,6 +1293,11 @@ static int CrackDiscKey( dvdcss_t dvdcss, uint8_t *p_disc_key )
>  
>                  /* test first possible out2[4] */
>                  tmp4 = ( out2[0] << 16 ) | ( out2[1] << 8 ) | out2[4];
> +                if ( tmp4 >= BIGTABLESIZE )
> +                {
> +                    ret = -1;
> +                    goto error;
> +                }
>                  tmp4 = BigTable[ tmp4 ];
>                  C[2] = tmp4 & 0xff;
>                  C[3] = ( tmp4 >> 8 ) & 0xff;
> @@ -1308,6 +1318,11 @@ static int CrackDiscKey( dvdcss_t dvdcss, uint8_t *p_disc_key )
>                  /* Test second possible out2[4] */
>                  out2[4] = ( out2[4] + 0xff ) & 0xff;
>                  tmp4 = ( out2[0] << 16 ) | ( out2[1] << 8 ) | out2[4];
> +                if ( tmp4 >= BIGTABLESIZE )
> +                {
> +                    ret = -1;
> +                    goto error;
> +                }
>                  tmp4 = BigTable[ tmp4 ];
>                  C[2] = tmp4 & 0xff;
>                  C[3] = ( tmp4 >> 8 ) & 0xff;
> @@ -1329,13 +1344,13 @@ static int CrackDiscKey( dvdcss_t dvdcss, uint8_t *p_disc_key )
>      }
>  
>  end:
> -
>      memcpy( p_disc_key, &C[0], DVD_KEY_SIZE );
>  
> +error:
>      free( K1table );
>      free( BigTable );
>  
> -    return 0;
> +    return ret;
>  }
>  
>  /*****************************************************************************
> -- 
> 2.1.0
> 
> _______________________________________________
> libdvdcss-devel mailing list
> libdvdcss-devel at videolan.org
> https://mailman.videolan.org/listinfo/libdvdcss-devel

-- 
With my kindest regards,

-- 
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device

More information about the libdvdcss-devel mailing list