From: Mauro Carvalho Chehab <m.chehab@samsung.com>
Date: Fri, 14 Feb 2014 04:39:07 +0000 (+0900)
Subject: vct: avoid read descriptors past the buffer
X-Git-Tag: v4l-utils-1.2.0~214
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6e7f400d5865f1ae4abc6f9b36c19d9408d81895;p=platform%2Fupstream%2Fv4l-utils.git

vct: avoid read descriptors past the buffer

On some ATSC streams found in KR, the descriptor_length at the
VCT tables are found to be bigger than the remaining buffer
size.

While this could be due to some other problem, add a logic to
prevent going paste the buffer.

Likely, this patch should also be ported to other places where
dvb_parse_descriptors() is called.

Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
---

diff --git a/lib/libdvbv5/descriptors/vct.c b/lib/libdvbv5/descriptors/vct.c
index 493f184..f1c823d 100644
--- a/lib/libdvbv5/descriptors/vct.c
+++ b/lib/libdvbv5/descriptors/vct.c
@@ -96,6 +96,12 @@ void atsc_table_vct_init(struct dvb_v5_fe_parms *parms, const uint8_t *buf,
 		*head = channel;
 		head = &(*head)->next;
 
+		if (endbuf - p < channel->descriptors_length) {
+			dvb_logerr("%s: short read %d/%zd bytes", __func__,
+				   channel->descriptors_length, endbuf - p);
+			return;
+		}
+
 		/* get the descriptors for each program */
 		dvb_parse_descriptors(parms, p, channel->descriptors_length,
 				      &channel->descriptor);
@@ -109,6 +115,11 @@ void atsc_table_vct_init(struct dvb_v5_fe_parms *parms, const uint8_t *buf,
 		union atsc_table_vct_descriptor_length *d = (void *)p;
 		bswap16(d->descriptor_length);
 		p += size;
+		if (endbuf - p < d->descriptor_length) {
+			dvb_logerr("%s: short read %d/%zd bytes", __func__,
+				   d->descriptor_length, endbuf - p);
+			return;
+		}
 		dvb_parse_descriptors(parms, p, d->descriptor_length,
 				      &vct->descriptor);
 	}