[libdvdnav-devel] Crashes with corrupt ISO
Steve Dibb
beandog at gentoo.org
Tue Dec 23 19:19:34 CET 2014
On 12/23/2014 09:51 AM, Steve Dibb wrote:
>> The problem with this file is that the value of cmd_tbl->nr_of_post in
>> ifoRead_PGC_COMMAND_TBL() gets corrupt. The call to DVDReadBytes() at
>> ifo_read.c:763 will fail as a result and cmd_tbl->pre_cmds and
>> cmd_tbl->post_cmds will be freed but not set to NULL. The error path in
>> ifo_read.c:1936 then tries to free up all PGC structures and calls
>> ifoFree_PGC_COMMAND_TBL() on the partially freed command_tbl. It only
>> checks if cmd_tbl->pre_cmds != NULL and tries to free it again. If I fix
>> this problem I get another crash in ifoFree_PGCIT_internal() because it
>> tries to access (*pgcit)->pgci_srp which was already freed in
>> ifoRead_PGCIT_internal().
Okay, took a closer look at it. I've noticed a pattern earlier in writing my own tools that the program chain is poorly populated / verified, and this confirms and highlights the point much more clearly.
The basic fix is pretty simple, like you said, check for NULL pointers and work around garbage data if it's not present. The complexity of how the code opens and accesses it all makes it difficult, but not impossible. I'll spend some time looking at it more closely when I can. It really needs to be fixed.
Steve
More information about the libdvdnav-devel
mailing list