Commit e0952d6b authored by John Stebbins's avatar John Stebbins

Fix crash when PTT is too short

The PTT that is allocated and read is smaller than what gets referenced.
The data is byte-swapped in place which results in writes to memory
locations outside the allocated region. Region 1 True Grit is an
example of this.
parent fbf6c750
......@@ -1184,6 +1184,10 @@ int ifoRead_VTS_PTT_SRPT(ifo_handle_t *ifofile) {
goto fail;
}
if(vts_ptt_srpt->nr_of_srpts > info_length / sizeof(*data)) {
fprintf(stderr, "libdvdread: PTT search table too small.\n");
goto fail;
}
for(i = 0; i < vts_ptt_srpt->nr_of_srpts; i++) {
B2N_32(data[i]);
/* assert(data[i] + sizeof(ptt_info_t) <= vts_ptt_srpt->last_byte + 1);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment