[libdvdnav-devel] Crashes with corrupt ISO
Steve Dibb
beandog at gentoo.org
Tue Dec 23 17:51:50 CET 2014
On 12/12/2014 01:50 AM, Thomas Lindroth wrote:
> Corrupt ISOs often result in crashes. Here is one example
> https://www.dropbox.com/s/qjln2bnojscn8bv/libdvdread_segfault.iso
Awesome, thanks. Getting broken ISOs / IFOs are way helpful.
> The problem with this file is that the value of cmd_tbl->nr_of_post in
> ifoRead_PGC_COMMAND_TBL() gets corrupt. The call to DVDReadBytes() at
> ifo_read.c:763 will fail as a result and cmd_tbl->pre_cmds and
> cmd_tbl->post_cmds will be freed but not set to NULL. The error path in
> ifo_read.c:1936 then tries to free up all PGC structures and calls
> ifoFree_PGC_COMMAND_TBL() on the partially freed command_tbl. It only
> checks if cmd_tbl->pre_cmds != NULL and tries to free it again. If I fix
> this problem I get another crash in ifoFree_PGCIT_internal() because it
> tries to access (*pgcit)->pgci_srp which was already freed in
> ifoRead_PGCIT_internal().
Navigating the ifoOpen chain of events is really difficult.
> It looks like there are many other places where freed pointers aren't
> set to NULL and pointers aren't checked for NULL before access or free.
> I don't have the willpower to look for them all myself so I instead
> propose that someone else should do something about it.
Agreed. I'm willing to take it on, but having broken sources make life a lot easier sometimes, so if you have more, post them here or send them my way and I'll debug them.
> I found this crash and many others with the afl-fuzz fuzzer.
Send me anything you've got. :)
Steve
More information about the libdvdnav-devel
mailing list