From 2cb0e60451671090f0dfc419da79f42cbd0f87a6 Mon Sep 17 00:00:00 2001 From: jstebbins Date: Sat, 27 Jun 2009 20:29:50 +0000 Subject: libdvdread: patch libdvdread malloc bomb if pgci_ut->nr_of_lus is an invalid value, libdvdread can malloc GB of data while attempting to parse invalid data git-svn-id: svn://svn.handbrake.fr/HandBrake/trunk@2637 b64f7644-9d1e-0410-96f1-a4d463321fa5 --- contrib/libdvdread/A01-check-nr_of_lus.patch | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 contrib/libdvdread/A01-check-nr_of_lus.patch diff --git a/contrib/libdvdread/A01-check-nr_of_lus.patch b/contrib/libdvdread/A01-check-nr_of_lus.patch new file mode 100644 index 000000000..d49fb9499 --- /dev/null +++ b/contrib/libdvdread/A01-check-nr_of_lus.patch @@ -0,0 +1,17 @@ +diff -Naur libdvdread.orig/src/ifo_read.c libdvdread/src/ifo_read.c +--- libdvdread.orig/src/ifo_read.c 2009-01-08 14:57:10.000000000 -0800 ++++ libdvdread/src/ifo_read.c 2009-06-27 13:22:27.940241400 -0700 +@@ -1914,6 +1914,13 @@ + CHECK_VALUE(pgci_ut->nr_of_lus < 100); /* ?? 3-4 ? */ + CHECK_VALUE((uint32_t)pgci_ut->nr_of_lus * PGCI_LU_SIZE < pgci_ut->last_byte); + ++ if (pgci_ut->nr_of_lus == 0 || pgci_ut->nr_of_lus >= 100) ++ { ++ free(pgci_ut); ++ ifofile->pgci_ut = 0; ++ return 0; ++ } ++ + info_length = pgci_ut->nr_of_lus * PGCI_LU_SIZE; + data = malloc(info_length); + if(!data) { -- cgit v1.2.3