[libbluray-devel] Sanity check partition map sizes

[Petri Hintukainen]

libudfread | branch: master | Petri Hintukainen <phintuka at gmail.com> | Sat Jun 24 20:05:05 2017 +0300| [ebffeb3ed46d1fed6806e09603a19cb121c92de0] | committer: Petri Hintukainen

Sanity check partition map sizes

Fix possible OOB read (corrupt input)

> http://git.videolan.org/gitweb.cgi/libudfread.git/?a=commit;h=ebffeb3ed46d1fed6806e09603a19cb121c92de0
---

 src/udfread.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/udfread.c b/src/udfread.c
index 18ac985..2ce87ab 100644
--- a/src/udfread.c
+++ b/src/udfread.c
@@ -599,6 +599,11 @@ static int _parse_udf_partition_maps(udfread_block_input *input,
 
             /* ECMA 167 Type 1 partition map */
 
+            if (len != 6) {
+                udf_error("invalid type 1 partition map length %d\n", (int)len);
+                break;
+            }
+
             ref = _get_u16(map + 4);
             udf_log("partition map: %u: type 1 partition, ref %u\n", i, ref);
 
@@ -619,6 +624,11 @@ static int _parse_udf_partition_maps(udfread_block_input *input,
 
             /* Type 2 partition map, UDF 2.60 2.2.18 */
 
+            if (len != 64) {
+                udf_error("invalid type 2 partition map length %d\n", (int)len);
+                break;
+            }
+
             struct entity_id type_id;
             decode_entity_id(map + 4, &type_id);
             if (!_check_domain_identifier(&type_id, meta_domain_id)) {