diff -u libdvdread-4.1.3/debian/changelog libdvdread-4.1.3/debian/changelog
--- libdvdread-4.1.3/debian/changelog
+++ libdvdread-4.1.3/debian/changelog
@@ -1,3 +1,10 @@
+libdvdread (4.1.3-10ubuntu4.2) oneiric-proposed; urgency=low
+
+  * debian/103-iforead-tt-srpt-pointerfix.patch
+    - Fix read/write beyond end of an array due to using a length value taken from the DVD, which can exceed the allocated size, causing a segmentation fault (LP: #894170)
+
+ -- Vibhav Pant <vibhavp@gmail.com>  Thu, 10 May 2012 22:00:54 +0530
+
 libdvdread (4.1.3-10ubuntu4.1) oneiric-proposed; urgency=low
 
   * debian/patches/102-reorder-linkage.patch: corrects the linking order
diff -u libdvdread-4.1.3/debian/patches/series libdvdread-4.1.3/debian/patches/series
--- libdvdread-4.1.3/debian/patches/series
+++ libdvdread-4.1.3/debian/patches/series
@@ -10,0 +11 @@
+103-iforead-tt-srpt-pointerfix.patch
only in patch2:
unchanged:
--- libdvdread-4.1.3.orig/src/ifo_read.c
+++ libdvdread-4.1.3/src/ifo_read.c
@@ -1028,6 +1028,12 @@
     return 0;
   }
 
+  if(tt_srpt->nr_of_srpts>info_length/sizeof(title_info_t)){
+    fprintf(stderr,"libdvdread: data mismatch: info_length (%ld)!= nr_of_srpts (%d). Truncating.\n",
+            info_length/sizeof(title_info_t),tt_srpt->nr_of_srpts);
+    tt_srpt->nr_of_srpts=info_length/sizeof(title_info_t);
+  }
+
   for(i =  0; i < tt_srpt->nr_of_srpts; i++) {
     B2N_16(tt_srpt->title[i].nr_of_ptts);
     B2N_16(tt_srpt->title[i].parental_id);
only in patch2:
unchanged:
--- libdvdread-4.1.3.orig/debian/patches/103-iforead-tt-srpt-pointerfix.patch
+++ libdvdread-4.1.3/debian/patches/103-iforead-tt-srpt-pointerfix.patch
@@ -0,0 +1,19 @@
+Author: Bryce Harrington <bryce@ubuntu.com>
+Description: Fix read/write beyond end of an array due to using a length value taken from the DVD, which can exceed the allocated size, causing a segmentation fault.
+
+diff -Naurp libdvdread.orig/src/ifo_read.c libdvdread/src/ifo_read.c
+--- libdvdread.orig/src/ifo_read.c	2011-12-13 20:24:16.000000000 -0800
++++ libdvdread/src/ifo_read.c	2012-10-05 20:19:54.315878130 +0530
+@@ -1082,6 +1082,12 @@ int ifoRead_TT_SRPT(ifo_handle_t *ifofil
+     return 0;
+   }
+ 
++  if(tt_srpt->nr_of_srpts>info_length/sizeof(title_info_t)){
++    fprintf(stderr,"libdvdread: data mismatch: info_length (%ld)!= nr_of_srpts (%d). Truncating.\n",
++            info_length/sizeof(title_info_t),tt_srpt->nr_of_srpts);
++    tt_srpt->nr_of_srpts=info_length/sizeof(title_info_t);
++  }
++
+   for(i =  0; i < tt_srpt->nr_of_srpts; i++) {
+     B2N_16(tt_srpt->title[i].nr_of_ptts);
+     B2N_16(tt_srpt->title[i].parental_id);