Commit b8151c7f authored by Doug Springer's avatar Doug Springer

Fix a segmentation fault hit when reading the DVD 'The Express'.

It prevents a read/write beyond end of an array due to using a length value
taken from the DVD, which can exceed the allocated size.

https://bugs.launchpad.net/ubuntu/+source/libdvdread/+bug/894170Signed-off-by: 's avatarBryce Harrington <bryce@canonical.com>
parent 90838f7f
......@@ -1071,6 +1071,12 @@ int ifoRead_TT_SRPT(ifo_handle_t *ifofile) {
return 0;
}
if(tt_srpt->nr_of_srpts>info_length/sizeof(title_info_t)){
fprintf(stderr,"libdvdread: data mismatch: info_length (%ld)!= nr_of_srpts (%d). Truncating.\n",
info_length/sizeof(title_info_t),tt_srpt->nr_of_srpts);
tt_srpt->nr_of_srpts=info_length/sizeof(title_info_t);
}
for(i = 0; i < tt_srpt->nr_of_srpts; i++) {
B2N_16(tt_srpt->title[i].nr_of_ptts);
B2N_16(tt_srpt->title[i].parental_id);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment