Mercurial > libdvdread4.hg

comparison ifo_read.c @ 76:677e09255a1c src

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
This patch fixes a segmentation fault hit when reading the DVD 'The Express'. It prevents a read/write beyond end of an array due to using a length value taken from the DVD, which can exceed the allocated size. https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/894170 The patch was originally written by rickyrockrat (sorry, I don't have his email address) for 4.1.3. I got the DVD and reproduced the segfault using 4.2.0 and verified the patch stops the segfault from happening. We're not confident this is the best fix though, so are posting it here for review. Signed-off-by: Bryce Harrington <bryce@canonical.com>
author rathann
date Sun, 09 Dec 2012 22:03:38 +0000
parents 8e12b8e01713
children 7299649d578f
comparison
equal deleted inserted replaced
75:8e12b8e01713 76:677e09255a1c
1069 fprintf(stderr, "libdvdread: Unable to read read TT_SRPT.\n"); 1069 fprintf(stderr, "libdvdread: Unable to read read TT_SRPT.\n");
1070 ifoFree_TT_SRPT(ifofile); 1070 ifoFree_TT_SRPT(ifofile);
1071 return 0; 1071 return 0;
1072 } 1072 }
1073 1073
1074 if(tt_srpt->nr_of_srpts>info_length/sizeof(title_info_t)){
1075 fprintf(stderr,"libdvdread: data mismatch: info_length (%ld)!= nr_of_srpts (%d). Truncating.\n",
1076 info_length/sizeof(title_info_t),tt_srpt->nr_of_srpts);
1077 tt_srpt->nr_of_srpts=info_length/sizeof(title_info_t);
1078 }
1079
1074 for(i = 0; i < tt_srpt->nr_of_srpts; i++) { 1080 for(i = 0; i < tt_srpt->nr_of_srpts; i++) {
1075 B2N_16(tt_srpt->title[i].nr_of_ptts); 1081 B2N_16(tt_srpt->title[i].nr_of_ptts);
1076 B2N_16(tt_srpt->title[i].parental_id); 1082 B2N_16(tt_srpt->title[i].parental_id);
1077 B2N_32(tt_srpt->title[i].title_set_sector); 1083 B2N_32(tt_srpt->title[i].title_set_sector);
1078 } 1084 }