[libbluray-devel] Check index.bdmv and MovieObject.bdmv data area size (must fit to the file)

[hpi1]

libbluray | branch: master | hpi1 <hpi1 at anonymous.org> | Tue Nov 15 21:17:07 2011 +0200| [04051bba980e2aff8ef296e758a1be7a78ef5cd1] | committer: hpi1

Check index.bdmv and MovieObject.bdmv data area size (must fit to the file)

> http://git.videolan.org/gitweb.cgi/libbluray.git/?a=commit;h=04051bba980e2aff8ef296e758a1be7a78ef5cd1
---

 src/libbluray/bdnav/index_parse.c |    7 ++++++-
 src/libbluray/hdmv/mobj_parse.c   |    6 ++++++
 2 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/src/libbluray/bdnav/index_parse.c b/src/libbluray/bdnav/index_parse.c
index e0faf10..1ee316a 100644
--- a/src/libbluray/bdnav/index_parse.c
+++ b/src/libbluray/bdnav/index_parse.c
@@ -66,7 +66,12 @@ static int _parse_index(BITSTREAM *bs, INDX_ROOT *index)
 
     index_len = bs_read(bs, 32);
 
-    /* TODO: check if goes to extension data area or EOF */
+    /* TODO: check if goes to extension data area */
+
+    if ((bs_end(bs) - bs_pos(bs))/8 < (off_t)index_len) {
+        BD_DEBUG(DBG_NAV | DBG_CRIT, "index.bdmv: invalid index_len %d !\n", index_len);
+        return 0;
+    }
 
     if (!_parse_playback_obj(bs, &index->first_play) ||
         !_parse_playback_obj(bs, &index->top_menu)) {
diff --git a/src/libbluray/hdmv/mobj_parse.c b/src/libbluray/hdmv/mobj_parse.c
index 460461f..960ba16 100644
--- a/src/libbluray/hdmv/mobj_parse.c
+++ b/src/libbluray/hdmv/mobj_parse.c
@@ -135,6 +135,12 @@ static MOBJ_OBJECTS *_mobj_parse(const char *file_name)
     bs_seek_byte(&bs, 40);
 
     data_len = bs_read(&bs, 32);
+
+    if ((bs_end(&bs) - bs_pos(&bs))/8 < (off_t)data_len) {
+        BD_DEBUG(DBG_NAV | DBG_CRIT, "%s: invalid data_len %d !\n", file_name, data_len);
+        goto error;
+    }
+
     bs_skip(&bs, 32); /* reserved */
     num_objects = bs_read(&bs, 16);