summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjstebbins <[email protected]>2009-06-27 20:29:50 +0000
committerjstebbins <[email protected]>2009-06-27 20:29:50 +0000
commit2cb0e60451671090f0dfc419da79f42cbd0f87a6 (patch)
tree717a16457fb2d28f5c78e6a26ffae43a15bd0b9e
parentb71af78978f4c6d388179d9da5eff684583521c5 (diff)
libdvdread: patch libdvdread malloc bomb
if pgci_ut->nr_of_lus is an invalid value, libdvdread can malloc GB of data while attempting to parse invalid data git-svn-id: svn://svn.handbrake.fr/HandBrake/trunk@2637 b64f7644-9d1e-0410-96f1-a4d463321fa5
-rw-r--r--contrib/libdvdread/A01-check-nr_of_lus.patch17
1 files changed, 17 insertions, 0 deletions
diff --git a/contrib/libdvdread/A01-check-nr_of_lus.patch b/contrib/libdvdread/A01-check-nr_of_lus.patch
new file mode 100644
index 000000000..d49fb9499
--- /dev/null
+++ b/contrib/libdvdread/A01-check-nr_of_lus.patch
@@ -0,0 +1,17 @@
+diff -Naur libdvdread.orig/src/ifo_read.c libdvdread/src/ifo_read.c
+--- libdvdread.orig/src/ifo_read.c 2009-01-08 14:57:10.000000000 -0800
++++ libdvdread/src/ifo_read.c 2009-06-27 13:22:27.940241400 -0700
+@@ -1914,6 +1914,13 @@
+ CHECK_VALUE(pgci_ut->nr_of_lus < 100); /* ?? 3-4 ? */
+ CHECK_VALUE((uint32_t)pgci_ut->nr_of_lus * PGCI_LU_SIZE < pgci_ut->last_byte);
+
++ if (pgci_ut->nr_of_lus == 0 || pgci_ut->nr_of_lus >= 100)
++ {
++ free(pgci_ut);
++ ifofile->pgci_ut = 0;
++ return 0;
++ }
++
+ info_length = pgci_ut->nr_of_lus * PGCI_LU_SIZE;
+ data = malloc(info_length);
+ if(!data) {