libdvdread: patch libdvdread malloc bomb

author jstebbins <jstebbins@b64f7644-9d1e-0410-96f1-a4d463321fa5>

Sat, 27 Jun 2009 20:29:50 +0000 (20:29 +0000)

committer jstebbins <jstebbins@b64f7644-9d1e-0410-96f1-a4d463321fa5>

Sat, 27 Jun 2009 20:29:50 +0000 (20:29 +0000)
author jstebbins <jstebbins@b64f7644-9d1e-0410-96f1-a4d463321fa5>
Sat, 27 Jun 2009 20:29:50 +0000 (20:29 +0000)
committer jstebbins <jstebbins@b64f7644-9d1e-0410-96f1-a4d463321fa5>
Sat, 27 Jun 2009 20:29:50 +0000 (20:29 +0000)
diff --git a/contrib/libdvdread/A01-check-nr_of_lus.patch b/contrib/libdvdread/A01-check-nr_of_lus.patch

new file mode 100644 (file)

index 0000000..d49fb94
--- /dev/null
+++ b/contrib/libdvdread/A01-check-nr_of_lus.patch
@@ -0,0 +1,17 @@
+diff -Naur libdvdread.orig/src/ifo_read.c libdvdread/src/ifo_read.c
+--- libdvdread.orig/src/ifo_read.c     2009-01-08 14:57:10.000000000 -0800
++++ libdvdread/src/ifo_read.c  2009-06-27 13:22:27.940241400 -0700
+@@ -1914,6 +1914,13 @@
+   CHECK_VALUE(pgci_ut->nr_of_lus < 100); /* ?? 3-4 ? */
+   CHECK_VALUE((uint32_t)pgci_ut->nr_of_lus * PGCI_LU_SIZE < pgci_ut->last_byte);
+ 
++  if (pgci_ut->nr_of_lus == 0 || pgci_ut->nr_of_lus >= 100)
++  {
++    free(pgci_ut);
++    ifofile->pgci_ut = 0;
++    return 0;
++  }
++
+   info_length = pgci_ut->nr_of_lus * PGCI_LU_SIZE;
+   data = malloc(info_length);
+   if(!data) {
author	jstebbins <jstebbins@b64f7644-9d1e-0410-96f1-a4d463321fa5>
	Sat, 27 Jun 2009 20:29:50 +0000 (20:29 +0000)
committer	jstebbins <jstebbins@b64f7644-9d1e-0410-96f1-a4d463321fa5>
	Sat, 27 Jun 2009 20:29:50 +0000 (20:29 +0000)