From fe5473e90c1b07254663e756aff90652ee03083e Mon Sep 17 00:00:00 2001
From: Devon Kirk <hyder365@users.noreply.github.com>
Date: Tue, 16 Jun 2026 14:32:49 -0400
Subject: [PATCH] stream/dvdnav: fix NULL deref and wrong buffer in navigation
 event handling

---
 stream/stream_dvdnav.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/stream/stream_dvdnav.c b/stream/stream_dvdnav.c
index ad688f109b924..ccdf914dfedd3 100644
--- a/stream/stream_dvdnav.c
+++ b/stream/stream_dvdnav.c
@@ -307,6 +307,8 @@ static int fill_buffer(stream_t *s, void *buf, int max_len)
             return 0;
         case DVDNAV_NAV_PACKET: {
             pci_t *pnavpci = dvdnav_get_current_nav_pci(dvdnav);
+            if (!pnavpci)
+                break;
             uint32_t start_pts = pnavpci->pci_gi.vobu_s_ptm;
             MP_TRACE(s, "start pts = %"PRIu32"\n", start_pts);
             break;
@@ -322,7 +324,7 @@ static int fill_buffer(stream_t *s, void *buf, int max_len)
         case DVDNAV_VTS_CHANGE: {
             int tit = 0, part = 0;
             dvdnav_vts_change_event_t *vts_event =
-                (dvdnav_vts_change_event_t *)s->buffer;
+                (dvdnav_vts_change_event_t *)buf;
             MP_INFO(s, "DVDNAV, switched to title: %d\n",
                    vts_event->new_vtsN);
             if (!priv->had_initial_vts) {