Mercurial > libdvdread4.hg
comparison ifo_read.c @ 70:f6cd5131324d src
Fix crash when PTT is too short
The PTT that is allocated and read is smaller than what gets referenced.
The data is byte-swapped in place which results in writes to memory
locations outside the allocated region. Region 1 True Grit is an
example of this.
Derived from a patch submitted by John Stebbins. Thanks!
| author | erik |
|---|---|
| date | Sat, 13 Aug 2011 17:28:45 +0000 |
| parents | d35a5dd07b34 |
| children | df32da8e44b1 |
comparison
equal
deleted
inserted
replaced
| 69:d35a5dd07b34 | 70:f6cd5131324d |
|---|---|
| 1182 if(!(DVDReadBytes(ifofile->file, data, info_length))) { | 1182 if(!(DVDReadBytes(ifofile->file, data, info_length))) { |
| 1183 fprintf(stderr, "libdvdread: Unable to read PTT search table.\n"); | 1183 fprintf(stderr, "libdvdread: Unable to read PTT search table.\n"); |
| 1184 goto fail; | 1184 goto fail; |
| 1185 } | 1185 } |
| 1186 | 1186 |
| 1187 if(vts_ptt_srpt->nr_of_srpts > info_length / sizeof(*data)) { | |
| 1188 fprintf(stderr, "libdvdread: PTT search table too small.\n"); | |
| 1189 goto fail; | |
| 1190 } | |
| 1187 for(i = 0; i < vts_ptt_srpt->nr_of_srpts; i++) { | 1191 for(i = 0; i < vts_ptt_srpt->nr_of_srpts; i++) { |
| 1188 B2N_32(data[i]); | 1192 B2N_32(data[i]); |
| 1189 /* assert(data[i] + sizeof(ptt_info_t) <= vts_ptt_srpt->last_byte + 1); | 1193 /* assert(data[i] + sizeof(ptt_info_t) <= vts_ptt_srpt->last_byte + 1); |
| 1190 Magic Knight Rayearth Daybreak is mastered very strange and has | 1194 Magic Knight Rayearth Daybreak is mastered very strange and has |
| 1191 Titles with 0 PTTs. They all have a data[i] offsets beyond the end of | 1195 Titles with 0 PTTs. They all have a data[i] offsets beyond the end of |