[DVDnav-discuss] [PATCH] src/ifo_read.c: Abort when PTT search table has zero entries

[Paul Menzel]

Date: Mon, 18 Nov 2013 16:31:53 +0100

The static analyzer from LLVM/Clang 1:3.4~svn194079-1 reports a possible
allocation of size 0 in `libdvdread/src/ifo_read.c`.

	$ scan-build -o scan-build make
	$ scan-view scan-build/2013-11-18-155601-16168-1

When `vts_ptt_srpt->nr_of_srpts` is zero the allocation size is zero.

	vts_ptt_srpt->title = malloc(vts_ptt_srpt->nr_of_srpts * sizeof(ttu_t));

The manual of the function `malloc` writes the following.

        If size is 0, then malloc() returns either NULL, or a unique
        pointer value that can later be successfully passed to free().

So check for 0 and, if it is, abort by going to the label `fail`.
---
 libdvdread/src/ifo_read.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libdvdread/src/ifo_read.c b/libdvdread/src/ifo_read.c
index d690e80..36545ce 100644
--- a/libdvdread/src/ifo_read.c
+++ b/libdvdread/src/ifo_read.c
@@ -1186,6 +1186,12 @@ int ifoRead_VTS_PTT_SRPT(ifo_handle_t *ifofile) {
     fprintf(stderr, "libdvdread: PTT search table too small.\n");
     goto fail;
   }
+
+  if(vts_ptt_srpt->nr_of_srpts == 0) {
+    fprintf(stderr, "libdvdread: Zero entries in PTT search table.\n");
+    goto fail;
+  }
+
   for(i = 0; i < vts_ptt_srpt->nr_of_srpts; i++) {
     /* Transformers 3 has PTT start bytes that point outside the SRPT PTT */
     uint32_t start = data[i];
-- 
1.8.4.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.mplayerhq.hu/pipermail/dvdnav-discuss/attachments/20131118/b39ac118/attachment.asc>