1
Author: Doug Springer <gpib@rickyrockrat.net>
3
In the file ifo_read.c, function ifoRead_TT_SRPT, where a structure array is
4
allocated, but another variable, extracted from the DVD info determines the
5
lenght of the array, resulting in read/writes beyond the array. I truncate
6
the read, but perhaps a better solution would be to expand the malloc to
7
include the data off the DVD. I believe that, however could lead to out of
8
memory errors if the DVD data was bad/invalid.
10
With the applied patch, dvdbackup no longer segfaults (Closes: #649790).
12
diff -Naurp libdvdread.orig/src/ifo_read.c libdvdread/src/ifo_read.c
13
--- libdvdread.orig/src/ifo_read.c 2012-06-29 22:38:13.234838450 +0200
14
+++ libdvdread/src/ifo_read.c 2012-06-29 22:43:05.753445000 +0200
15
@@ -1081,6 +1081,12 @@ int ifoRead_TT_SRPT(ifo_handle_t *ifofil
19
+ if(tt_srpt->nr_of_srpts>info_length/sizeof(title_info_t)){
20
+ fprintf(stderr,"libdvdread: data mismatch: info_length (%ld)!= nr_of_srpts (%d). Truncating.\n",
21
+ info_length/sizeof(title_info_t),tt_srpt->nr_of_srpts);
22
+ tt_srpt->nr_of_srpts=info_length/sizeof(title_info_t);
25
for(i = 0; i < tt_srpt->nr_of_srpts; i++) {
26
B2N_16(tt_srpt->title[i].nr_of_ptts);
27
B2N_16(tt_srpt->title[i].parental_id);