vct: avoid read descriptors past the buffer

On some ATSC streams found in KR, the descriptor_length at the
VCT tables are found to be bigger than the remaining buffer
size.

While this could be due to some other problem, add a logic to
prevent going paste the buffer.

Likely, this patch should also be ported to other places where
dvb_parse_descriptors() is called.

Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>

diff --git a/lib/libdvbv5/descriptors/vct.c b/lib/libdvbv5/descriptors/vct.c
index 493f184..f1c823d 100644 (file)
--- a/lib/libdvbv5/descriptors/vct.c
+++ b/lib/libdvbv5/descriptors/vct.c
@@ -96,6 +96,12 @@ void atsc_table_vct_init(struct dvb_v5_fe_parms *parms, const uint8_t *buf,
                *head = channel;
                head = &(*head)->next;
 
+               if (endbuf - p < channel->descriptors_length) {
+                       dvb_logerr("%s: short read %d/%zd bytes", __func__,
+                                  channel->descriptors_length, endbuf - p);
+                       return;
+               }
+
                /* get the descriptors for each program */
                dvb_parse_descriptors(parms, p, channel->descriptors_length,
                                      &channel->descriptor);
@@ -109,6 +115,11 @@ void atsc_table_vct_init(struct dvb_v5_fe_parms *parms, const uint8_t *buf,
                union atsc_table_vct_descriptor_length *d = (void *)p;
                bswap16(d->descriptor_length);
                p += size;
+               if (endbuf - p < d->descriptor_length) {
+                       dvb_logerr("%s: short read %d/%zd bytes", __func__,
+                                  d->descriptor_length, endbuf - p);
+                       return;
+               }
                dvb_parse_descriptors(parms, p, d->descriptor_length,
                                      &vct->descriptor);
        }