[DVDnav-discuss] r1249 - trunk/libdvdread/src/ifo_read.c

rathann subversion at mplayerhq.hu
Sun Dec 9 23:03:39 CET 2012


Author: rathann
Date: Sun Dec  9 23:03:38 2012
New Revision: 1249

Log:
This patch fixes a segmentation fault hit when reading the DVD 'The
Express'.  It prevents a read/write beyond end of an array due to using
a length value taken from the DVD, which can exceed the allocated size.

https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/894170

The patch was originally written by rickyrockrat (sorry, I don't have
his email address) for 4.1.3.  I got the DVD and reproduced the segfault
using 4.2.0 and verified the patch stops the segfault from happening.
We're not confident this is the best fix though, so are posting it here
for review.

Signed-off-by:  Bryce Harrington <bryce at canonical.com>

Modified:
   trunk/libdvdread/src/ifo_read.c

Modified: trunk/libdvdread/src/ifo_read.c
==============================================================================
--- trunk/libdvdread/src/ifo_read.c	Sun Dec  9 22:45:02 2012	(r1248)
+++ trunk/libdvdread/src/ifo_read.c	Sun Dec  9 23:03:38 2012	(r1249)
@@ -1071,6 +1071,12 @@ int ifoRead_TT_SRPT(ifo_handle_t *ifofil
     return 0;
   }
 
+  if(tt_srpt->nr_of_srpts>info_length/sizeof(title_info_t)){
+    fprintf(stderr,"libdvdread: data mismatch: info_length (%ld)!= nr_of_srpts (%d). Truncating.\n",
+            info_length/sizeof(title_info_t),tt_srpt->nr_of_srpts);
+    tt_srpt->nr_of_srpts=info_length/sizeof(title_info_t);
+  }
+
   for(i =  0; i < tt_srpt->nr_of_srpts; i++) {
     B2N_16(tt_srpt->title[i].nr_of_ptts);
     B2N_16(tt_srpt->title[i].parental_id);


More information about the DVDnav-discuss mailing list