From db7934233f614a91a8bebc46de4ff0df23ff9ce4 Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Tue, 8 Apr 2014 14:24:31 +0100 Subject: [PATCH] resindvd: guard against overflow in audio subtitle streams Turns out there was the same issue as with subtitles. There is space for a single audio stream, but up to 255 may be used based on a uint8_t value in a struct, which may or may not be read from the (untrusted) data. A comment in ifo_types.h says this value is either 0 or 1, so we can ensure this here without drawbacks. Coverity 1139585 --- ext/resindvd/resindvdsrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/resindvd/resindvdsrc.c b/ext/resindvd/resindvdsrc.c index 34f2043958..95d3ca116c 100644 --- a/ext/resindvd/resindvdsrc.c +++ b/ext/resindvd/resindvdsrc.c @@ -1947,7 +1947,7 @@ rsn_dvdsrc_prepare_streamsinfo_event (resinDvdSrc * src) vts_attr = get_vts_attr (src, src->vts_n); v_attr = &vts_attr->vtsm_video_attr; a_attrs = &vts_attr->vtsm_audio_attr; - n_audio = vts_attr->nr_of_vtsm_audio_streams; + n_audio = MAX (1, vts_attr->nr_of_vtsm_audio_streams); s_attrs = &vts_attr->vtsm_subp_attr; n_subp = MAX (1, vts_attr->nr_of_vtsm_subp_streams); } else {