From 380f95ea0159b2f01b8c7f4a031d4cc5a860f714 Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Tue, 8 Apr 2014 14:19:29 +0100 Subject: [PATCH] resindvd: guard against overflow in menu subtitle streams There is space for a single subtitle stream, but up to 255 may be used based on a uint8_t value in a struct, which may or may not be read from the (untrusted) data. A comment in ifo_types.h says this value is either 0 or 1, so we can ensure this here without drawbacks. Coverity 1139586 --- ext/resindvd/resindvdsrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/resindvd/resindvdsrc.c b/ext/resindvd/resindvdsrc.c index e17478f..34f2043 100644 --- a/ext/resindvd/resindvdsrc.c +++ b/ext/resindvd/resindvdsrc.c @@ -1949,7 +1949,7 @@ rsn_dvdsrc_prepare_streamsinfo_event (resinDvdSrc * src) a_attrs = &vts_attr->vtsm_audio_attr; n_audio = vts_attr->nr_of_vtsm_audio_streams; s_attrs = &vts_attr->vtsm_subp_attr; - n_subp = vts_attr->nr_of_vtsm_subp_streams; + n_subp = MAX (1, vts_attr->nr_of_vtsm_subp_streams); } else { /* VTS domain */ vts_attr = get_vts_attr (src, src->vts_n); -- 2.7.4