[libdvdnav-devel] Crashes with corrupt ISO
Thomas Lindroth
thomas.lindroth at gmail.com
Fri Dec 12 09:50:51 CET 2014
Corrupt ISOs often result in crashes. Here is one example
https://www.dropbox.com/s/qjln2bnojscn8bv/libdvdread_segfault.iso
The problem with this file is that the value of cmd_tbl->nr_of_post in
ifoRead_PGC_COMMAND_TBL() gets corrupt. The call to DVDReadBytes() at
ifo_read.c:763 will fail as a result and cmd_tbl->pre_cmds and
cmd_tbl->post_cmds will be freed but not set to NULL. The error path in
ifo_read.c:1936 then tries to free up all PGC structures and calls
ifoFree_PGC_COMMAND_TBL() on the partially freed command_tbl. It only
checks if cmd_tbl->pre_cmds != NULL and tries to free it again. If I fix
this problem I get another crash in ifoFree_PGCIT_internal() because it
tries to access (*pgcit)->pgci_srp which was already freed in
ifoRead_PGCIT_internal().
It looks like there are many other places where freed pointers aren't
set to NULL and pointers aren't checked for NULL before access or free.
I don't have the willpower to look for them all myself so I instead
propose that someone else should do something about it.
I found this crash and many others with the afl-fuzz fuzzer.
More information about the libdvdnav-devel
mailing list