Package: libdvdread4
Version: 4.1.4-*
When reading dvd 'The Express' via dvdbackup -I, I get a core dump:
*** glibc detected *** dvdbackup: free(): invalid next size (normal):
0x0000000002ccef70 ***
Using Valgrind, I was able to track down the culprit, in the file
ifo_read.c, function ifoRead_TT_SRPT, where a structure array is
allocated, but another variable, extracted from the DVD info determines
the lenght of the array, resulting in read/writes beyond the array. I
truncate the read, but perhaps a better solution would be to expand the
malloc to include the data off the DVD. I believe that, however could
lead to out of memory errors if the DVD data was bad/invalid.
With the applied patch, dvdbackup no longer segfaults.
Cheers.
diff -ru libdvdread-4.1.3/src/ifo_read.c libdvdread-4.1.3-t/src/ifo_read.c
--- libdvdread-4.1.3/src/ifo_read.c 2008-09-06 15:55:51.000000000 -0600
+++ libdvdread-4.1.3-t/src/ifo_read.c 2011-11-23 15:01:31.000000000 -0700
@@ -843,10 +843,10 @@
/* verify time (look at print_time) */
for(i = 0; i < 8; i++)
- if(!pgc->audio_control[i] & 0x8000) /* The 'is present' bit */
+ if(!(pgc->audio_control[i] & 0x8000)) /* The 'is present' bit */
CHECK_ZERO(pgc->audio_control[i]);
for(i = 0; i < 32; i++)
- if(!pgc->subp_control[i] & 0x80000000) /* The 'is present' bit */
+ if(!(pgc->subp_control[i] & 0x80000000)) /* The 'is present' bit */
CHECK_ZERO(pgc->subp_control[i]);
/* Check that time is 0:0:0:0 also if nr_of_programs == 0 */
@@ -1027,7 +1027,12 @@
ifoFree_TT_SRPT(ifofile);
return 0;
}
-
+ if( tt_srpt->nr_of_srpts>info_length/sizeof(title_info_t)){
+ fprintf(stderr,"libdvdread: data mismatch: info_length (%ld)!= nr_of_srpts (%d). Truncating.\n",
+ info_length/sizeof(title_info_t),tt_srpt->nr_of_srpts);
+ tt_srpt->nr_of_srpts=info_length/sizeof(title_info_t);
+ }
+
for(i = 0; i < tt_srpt->nr_of_srpts; i++) {
B2N_16(tt_srpt->title[i].nr_of_ptts);
B2N_16(tt_srpt->title[i].parental_id);
