libbluray | branch: master | hpi1 <[email protected]> | Tue Nov 15 21:17:07 2011 +0200| [04051bba980e2aff8ef296e758a1be7a78ef5cd1] | committer: hpi1
Check index.bdmv and MovieObject.bdmv data area size (must fit to the file) > http://git.videolan.org/gitweb.cgi/libbluray.git/?a=commit;h=04051bba980e2aff8ef296e758a1be7a78ef5cd1 --- src/libbluray/bdnav/index_parse.c | 7 ++++++- src/libbluray/hdmv/mobj_parse.c | 6 ++++++ 2 files changed, 12 insertions(+), 1 deletions(-) diff --git a/src/libbluray/bdnav/index_parse.c b/src/libbluray/bdnav/index_parse.c index e0faf10..1ee316a 100644 --- a/src/libbluray/bdnav/index_parse.c +++ b/src/libbluray/bdnav/index_parse.c @@ -66,7 +66,12 @@ static int _parse_index(BITSTREAM *bs, INDX_ROOT *index) index_len = bs_read(bs, 32); - /* TODO: check if goes to extension data area or EOF */ + /* TODO: check if goes to extension data area */ + + if ((bs_end(bs) - bs_pos(bs))/8 < (off_t)index_len) { + BD_DEBUG(DBG_NAV | DBG_CRIT, "index.bdmv: invalid index_len %d !\n", index_len); + return 0; + } if (!_parse_playback_obj(bs, &index->first_play) || !_parse_playback_obj(bs, &index->top_menu)) { diff --git a/src/libbluray/hdmv/mobj_parse.c b/src/libbluray/hdmv/mobj_parse.c index 460461f..960ba16 100644 --- a/src/libbluray/hdmv/mobj_parse.c +++ b/src/libbluray/hdmv/mobj_parse.c @@ -135,6 +135,12 @@ static MOBJ_OBJECTS *_mobj_parse(const char *file_name) bs_seek_byte(&bs, 40); data_len = bs_read(&bs, 32); + + if ((bs_end(&bs) - bs_pos(&bs))/8 < (off_t)data_len) { + BD_DEBUG(DBG_NAV | DBG_CRIT, "%s: invalid data_len %d !\n", file_name, data_len); + goto error; + } + bs_skip(&bs, 32); /* reserved */ num_objects = bs_read(&bs, 16); _______________________________________________ libbluray-devel mailing list [email protected] http://mailman.videolan.org/listinfo/libbluray-devel
