changeset 70:f6cd5131324d src

Fix crash when PTT is too short The PTT that is allocated and read is smaller than what gets referenced. The data is byte-swapped in place which results in writes to memory locations outside the allocated region. Region 1 True Grit is an example of this. Derived from a patch submitted by John Stebbins. Thanks!
author erik
date Sat, 13 Aug 2011 17:28:45 +0000
parents d35a5dd07b34
children df32da8e44b1
files ifo_read.c
diffstat 1 files changed, 4 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/ifo_read.c	Sat Aug 13 17:28:43 2011 +0000
+++ b/ifo_read.c	Sat Aug 13 17:28:45 2011 +0000
@@ -1184,6 +1184,10 @@
     goto fail;
   }
 
+  if(vts_ptt_srpt->nr_of_srpts > info_length / sizeof(*data)) {
+    fprintf(stderr, "libdvdread: PTT search table too small.\n");
+    goto fail;
+  }
   for(i = 0; i < vts_ptt_srpt->nr_of_srpts; i++) {
     B2N_32(data[i]);
     /* assert(data[i] + sizeof(ptt_info_t) <= vts_ptt_srpt->last_byte + 1);