# HG changeset patch
# User rathann
# Date 1355090618 0
# Node ID 677e09255a1c4d0b599c0b59266221984e4b558d
# Parent  8e12b8e01713ad01c9e56ef51b490664c435dbae
This patch fixes a segmentation fault hit when reading the DVD 'The
Express'.  It prevents a read/write beyond end of an array due to using
a length value taken from the DVD, which can exceed the allocated size.

https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/894170

The patch was originally written by rickyrockrat (sorry, I don't have
his email address) for 4.1.3.  I got the DVD and reproduced the segfault
using 4.2.0 and verified the patch stops the segfault from happening.
We're not confident this is the best fix though, so are posting it here
for review.

Signed-off-by:  Bryce Harrington <bryce@canonical.com>

diff -r 8e12b8e01713 -r 677e09255a1c ifo_read.c
--- a/ifo_read.c	Sun Dec 09 21:07:59 2012 +0000
+++ b/ifo_read.c	Sun Dec 09 22:03:38 2012 +0000
@@ -1071,6 +1071,12 @@
     return 0;
   }
 
+  if(tt_srpt->nr_of_srpts>info_length/sizeof(title_info_t)){
+    fprintf(stderr,"libdvdread: data mismatch: info_length (%ld)!= nr_of_srpts (%d). Truncating.\n",
+            info_length/sizeof(title_info_t),tt_srpt->nr_of_srpts);
+    tt_srpt->nr_of_srpts=info_length/sizeof(title_info_t);
+  }
+
   for(i =  0; i < tt_srpt->nr_of_srpts; i++) {
     B2N_16(tt_srpt->title[i].nr_of_ptts);
     B2N_16(tt_srpt->title[i].parental_id);