[DVDnav-discuss] r1232 - trunk/libdvdread/src/ifo_read.c
erik
subversion at mplayerhq.hu
Sat Aug 13 19:28:45 CEST 2011
Author: erik
Date: Sat Aug 13 19:28:45 2011
New Revision: 1232
Log:
Fix crash when PTT is too short
The PTT that is allocated and read is smaller than what gets referenced.
The data is byte-swapped in place which results in writes to memory
locations outside the allocated region. Region 1 True Grit is an
example of this.
Derived from a patch submitted by John Stebbins. Thanks!
Modified:
trunk/libdvdread/src/ifo_read.c
Modified: trunk/libdvdread/src/ifo_read.c
==============================================================================
--- trunk/libdvdread/src/ifo_read.c Sat Aug 13 19:28:43 2011 (r1231)
+++ trunk/libdvdread/src/ifo_read.c Sat Aug 13 19:28:45 2011 (r1232)
@@ -1184,6 +1184,10 @@ int ifoRead_VTS_PTT_SRPT(ifo_handle_t *i
goto fail;
}
+ if(vts_ptt_srpt->nr_of_srpts > info_length / sizeof(*data)) {
+ fprintf(stderr, "libdvdread: PTT search table too small.\n");
+ goto fail;
+ }
for(i = 0; i < vts_ptt_srpt->nr_of_srpts; i++) {
B2N_32(data[i]);
/* assert(data[i] + sizeof(ptt_info_t) <= vts_ptt_srpt->last_byte + 1);
More information about the DVDnav-discuss
mailing list