From c9ae744fe821acb15b8f822a9a3e9f618cad8de8 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sat, 7 Jul 2012 21:11:36 +0200
Subject: [PATCH 1/5] Prevent segmentation faults in
 dvdnav_describe_title_chapters() in case of parts with missing PGC

---
 src/searching.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/searching.c b/src/searching.c
index 2846403..3bdecab 100644
--- a/src/searching.c
+++ b/src/searching.c
@@ -617,6 +617,10 @@ uint32_t dvdnav_describe_title_chapters(dvdnav_t *this, int32_t title, uint64_t
   for(i=0; i<parts; i++) {
     uint32_t cellnr, endcellnr;
     pgc = ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc;
+    if (pgc == NULL) {
+      printerr("PGC missing.");
+      continue;
+    }
     if(ptt[i].pgn > pgc->nr_of_programs) {
       printerr("WRONG part number.");
       goto fail;
-- 
1.8.0.2


From 83235407f0d4c09578eb2cfdbed49eea122eb97e Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sat, 7 Jul 2012 22:23:47 +0200
Subject: [PATCH 2/5] Let dvdnav_describe_title_chapters() ignore parts where
 the pgc_start_byte is above the last_byte

This is a heuristic to prevent segfaults when
ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc is invalid
but non-NULL.
---
 src/searching.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/searching.c b/src/searching.c
index 3bdecab..96c5c7f 100644
--- a/src/searching.c
+++ b/src/searching.c
@@ -616,6 +616,10 @@ uint32_t dvdnav_describe_title_chapters(dvdnav_t *this, int32_t title, uint64_t
   length = 0;
   for(i=0; i<parts; i++) {
     uint32_t cellnr, endcellnr;
+    if (ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc_start_byte >= ifo->vts_pgcit->last_byte) {
+      printerr("PGC start out of bounds");
+      continue;
+    }
     pgc = ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc;
     if (pgc == NULL) {
       printerr("PGC missing.");
-- 
1.8.0.2


From a2865be4242a14b896dfd7ba2c7dd10988f12762 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sat, 14 Jul 2012 00:13:19 +0200
Subject: [PATCH 3/5] Let dvdnav_describe_title_chapters() skip PGCs with a
 cell number of zero

In this case pgc->program_map can be invalid and
accessing it results in a core dump due to SIGBUS.
---
 src/searching.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/searching.c b/src/searching.c
index 96c5c7f..4c3fb2f 100644
--- a/src/searching.c
+++ b/src/searching.c
@@ -630,6 +630,10 @@ uint32_t dvdnav_describe_title_chapters(dvdnav_t *this, int32_t title, uint64_t
       goto fail;
     }
 
+    if (pgc->nr_of_cells == 0) {
+      printerr("Number of cells cannot be 0");
+      continue;
+    }
     if ((cellnr = pgc->program_map[ptt[i].pgn-1]) == 0) {
       printerr("Cell new row cannot be 0");
       continue;
-- 
1.8.0.2


From 3c199d053e181da7c0ef95b542e77cda9476b8c4 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sun, 4 Nov 2012 18:03:33 +0100
Subject: [PATCH 4/5] Add a couple of additional sanity checks for
 dvdnav_describe_title_chapters()

Fixes crashes with non-compliant DVDs after applying
the duplicate detection patch for libdvdread.

It might make more sense to do those checks in libdvdread
instead and zero out structures that don't check out.
---
 src/searching.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/searching.c b/src/searching.c
index 4c3fb2f..c044199 100644
--- a/src/searching.c
+++ b/src/searching.c
@@ -620,6 +620,18 @@ uint32_t dvdnav_describe_title_chapters(dvdnav_t *this, int32_t title, uint64_t
       printerr("PGC start out of bounds");
       continue;
     }
+    if (0 == ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc_start_byte) {
+      printerr("PGC start zero.");
+      continue;
+    }
+    if (0 != (ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc_start_byte & 1)) {
+      printerr("PGC start unaligned.");
+      continue;
+    }
+    if (0 != ((int)(ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc) & 1)) {
+      printerr("PGC pointer unaligned.");
+      continue;
+    }
     pgc = ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc;
     if (pgc == NULL) {
       printerr("PGC missing.");
-- 
1.8.0.2


From d77bda56143b4c85b872ff7e0574070d024aff0b Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sat, 8 Dec 2012 21:52:08 +0100
Subject: [PATCH 5/5] Let dvdnav_describe_title_chapters() skip PGCs with
 missing cells

Fixes segfaults with a rip of Ghost Protocol.
---
 src/searching.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/searching.c b/src/searching.c
index c044199..abfabfd 100644
--- a/src/searching.c
+++ b/src/searching.c
@@ -650,6 +650,10 @@ uint32_t dvdnav_describe_title_chapters(dvdnav_t *this, int32_t title, uint64_t
       printerr("Cell new row cannot be 0");
       continue;
     }
+    if (pgc->cell_playback == NULL) {
+      printerr("Cell missing");
+      continue;
+    }
 
     if(ptt[i].pgn < pgc->nr_of_programs)
       endcellnr = pgc->program_map[ptt[i].pgn];
-- 
1.8.0.2