libdvdread core dumps with invalid next size

The attachment "Fix out of array pointer access." of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Confirmed that "The Express" segfaults with this error message:

libdvdread: Elapsed time 0
dvdbackup: malloc.c:3096: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.

Full log of a failed dvdbackup run

Just wanted to note that this segfault happens with this patch in place:

https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/852345

And without it (i.e. in Lucid), I don't get the segfault - but of course Thor doesn't play there.

I think it's like peeling an onion. As the top bugs are exposed and fixed, more are revealed. There are more issues in libdvdread that valgrind complained about, but I didn't have time to investigate all of them. I hope to eventually...

With the patch applied, the dvdbackup run produced a successful backup.

However, I got a bunch of read errors, and the size of the backup image took longer than it should have; I had to interrupt it early, and noted the size of the image was abnormally large. However, it played properly, so count it a success.

This bug was fixed in the package libdvdread - 4.2.0-1ubuntu3

---------------
libdvdread (4.2.0-1ubuntu3) precise; urgency=low

  * Add 103-iforead-tt-srpt-pointerfix.patch: Fix read/write beyond end of
    an array due to using a length value taken from the DVD, which can
    exceed the allocated size, causing a segmentation fault.
    (LP: #894170)
 -- Bryce Harrington <email address hidden> Tue, 13 Dec 2011 21:25:05 -0800

rickyrockrat, yeah I tested against 4.2.0 which also includes a fix for Thor, but implemented differently than the patch we put in Ubuntu. That could be why the error I saw was so different than what you saw. Still, the DVD segfaulted for me as it had for you, and your patch (with a couple tweaks) made it not crash. I would agree with you that there's more work needed, and an onion is a good analogy.

I've forwarded the patch upstream and will follow up on any improvements they can suggest. I'd encourage you to join the list if you'd be interested because it sounds like you could add a lot of value to the onion peeling efforts. Here's a link to the mailing list:

http://lists.mplayerhq.hu/mailman/listinfo/dvdnav-discuss

Trouble is, I get too much mail as it is. I'll just continue to carry on as I have - I get 2 new movies a week, so I go through a pretty fair selection of trouble makers, and so far, I've got a good system that uses a script that uses a combination of things - HandbrakeCLI,mplayer, vlc, vobcopy, ddrescue, and dvdbackup, though I primarily use mplayer & Handbrake - the former to rip, the latter to find the correct title - all just to watch a stupid movie. I'm considering releasing it on sourceforge - but it's an awful effort to get all the source patched and built, which has to be done or the script doesn't do much. So I'd have to do a build system, which takes time and is painful. Though I guess if I released i386 and amd64 debs, it would get the majority of the crowd.

I never would have gone down this path if those idiots hadn't pissed me off several times when I had to spend a couple hours trying to just play a movie I legally rented, so now I fix every glitch I discover, and make sure someone gets the patch for the world at large. It's astounding at how devious and fruitless their efforts are - and I will continue to fight with my vote and my code, but truly, I've got to have a mis-behaving movie, and I haven't come across one since this last fix, so not sure what being on the mailing list would do us - besides filling my inbox. I don't have time right now to go rent troublesome movies, so I think this mode will work for now. Besides, I've seen patches on mplayerhq that sat there for months, with various people wondering why they bothered. I know this is a pain for you, since you have to maintain the package, and it would be easier to submit to *hq, but maybe we're good for a bit - until the next desperate, brain dead attempt surfaces.

Hi Vibhav - Thanks for the debdiff! Unfortunately, there are a few issues. I don't think you truly meant to subscribe ubuntu-security-sponsors, since you targeted the oneiric-proposed pocket. If you did intend for this to go to the security pocket, use oneiric-security in the changelog. Otherwise, you probably wanted to subscribe ubuntu-sponsors.

Either way, there is a bigger problem here. 103-iforead-tt-srpt-pointerfix.patch didn't make it into the debdiff. The series file is updated, but the contents of the pointerfix patch do not exist in the debdiff.

Unsubscribing ubuntu-security-sponsors.

Thanks for the notfication Tyler, will upload a revised debdiff soon.

Thanks for the debdiff. I've prepared a package using it, with a few minor adjustments:
- You didn't specify the correct path for the patch in the changelog
- You didn't wrap lines in the changelog
- You applied the fix inline in addition to having it in the patch system.

I've uploaded the package to -proposed to await processing by the SRU team.

SRU Request:

Impact: Oneiric cannot read certain dvds, including "The Express".

Development fix: This is fixed in Precise with the minimal patch provided in this bug.

Stable fix: An identical minimal patch has been applied to the Oneiric package

Test Case: Unfortunately, someone needs to try playing the "The Express" DVD to test this updated package

Regression potential: Although unlikely, this patch may prevent other DVDs from playing, in which case the patch can be backed out.

@ricky, huh didn't see your comment #9 until now.

Totally understand not wanting to be on too many lists (I feel the same). However I've found this one to be reasonable (couple emails a week). In any case I don't really mind forwarding patches there myself and so can take care of that end.

If you're ever looking for other troublesome movies to work on you can just look at the bugs that have been filed:
https://bugs.launchpad.net/ubuntu/+source/libdvdread/

For instance https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/377414 appears to affect a lot of mainstream movies. https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/590983 is another common one.

Anyway, looks like the sru for oneiric has already been uploaded. natty is pretty long in the tooth so not really worth SRUing that. So I'm going to close out this bug. Thanks everyone.

Bryce, I've been running 2-4 different DVDs a week, and I haven't had an issue since I fixed this little problem. Now that I said that, I'll start having problems!

I wonder if this fixes those other bugs?

Hello rickyrockrat, or anyone else affected,

Accepted libdvdread into oneiric-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

The fix for the this bug has been awaiting testing feedback in the -proposed repository for oneiric for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now the package will be removed from the -proposed repository.

So where does this leave the patch? I'm not running oneric.
Does this make precise or does a new bug report need to be created on precise? I will have precise installed here shortly and can have a look at it then. Just not sure where it goes from here. I'm willing to re-rent the movie and check it again, however if I need to repeat the process with precise, then I'll file and wait for verification-needed state there before renting.

Thanks.

The fix has already been applied in precise. See https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/894170/comments/7. This is just about getting the fix in oneiric.

The version of libdvdread in oneiric-proposed has been removed as this bug report was not verified in a timely fashion.

The patch was accepted upstream as is.

I'm guessing no one cares about having the fix in oneiric at this point (I don't). Having it fixed in Precise seems sufficient.

oneiric has seen the end of its life and is no longer receiving any updates. Marking the oneiric task for this ticket as "Won't Fix".