# HG changeset patch
# User erik
# Date 1313256525 0
# Node ID f6cd5131324de3d77415d67f40e0d69c04234f73
# Parent  d35a5dd07b34bc6c2b59ab70061b4ee2ed2c393d
Fix crash when PTT is too short

The PTT that is allocated and read is smaller than what gets referenced.
The data is byte-swapped in place which results in writes to memory
locations outside the allocated region. Region 1 True Grit is an
example of this.

Derived from a patch submitted by John Stebbins. Thanks!

diff -r d35a5dd07b34 -r f6cd5131324d ifo_read.c
--- a/ifo_read.c	Sat Aug 13 17:28:43 2011 +0000
+++ b/ifo_read.c	Sat Aug 13 17:28:45 2011 +0000
@@ -1184,6 +1184,10 @@
     goto fail;
   }
 
+  if(vts_ptt_srpt->nr_of_srpts > info_length / sizeof(*data)) {
+    fprintf(stderr, "libdvdread: PTT search table too small.\n");
+    goto fail;
+  }
   for(i = 0; i < vts_ptt_srpt->nr_of_srpts; i++) {
     B2N_32(data[i]);
     /* assert(data[i] + sizeof(ptt_info_t) <= vts_ptt_srpt->last_byte + 1);