From 6e7f400d5865f1ae4abc6f9b36c19d9408d81895 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Fri, 14 Feb 2014 13:39:07 +0900 Subject: [PATCH] vct: avoid read descriptors past the buffer On some ATSC streams found in KR, the descriptor_length at the VCT tables are found to be bigger than the remaining buffer size. While this could be due to some other problem, add a logic to prevent going paste the buffer. Likely, this patch should also be ported to other places where dvb_parse_descriptors() is called. Signed-off-by: Mauro Carvalho Chehab --- lib/libdvbv5/descriptors/vct.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/libdvbv5/descriptors/vct.c b/lib/libdvbv5/descriptors/vct.c index 493f184..f1c823d 100644 --- a/lib/libdvbv5/descriptors/vct.c +++ b/lib/libdvbv5/descriptors/vct.c @@ -96,6 +96,12 @@ void atsc_table_vct_init(struct dvb_v5_fe_parms *parms, const uint8_t *buf, *head = channel; head = &(*head)->next; + if (endbuf - p < channel->descriptors_length) { + dvb_logerr("%s: short read %d/%zd bytes", __func__, + channel->descriptors_length, endbuf - p); + return; + } + /* get the descriptors for each program */ dvb_parse_descriptors(parms, p, channel->descriptors_length, &channel->descriptor); @@ -109,6 +115,11 @@ void atsc_table_vct_init(struct dvb_v5_fe_parms *parms, const uint8_t *buf, union atsc_table_vct_descriptor_length *d = (void *)p; bswap16(d->descriptor_length); p += size; + if (endbuf - p < d->descriptor_length) { + dvb_logerr("%s: short read %d/%zd bytes", __func__, + d->descriptor_length, endbuf - p); + return; + } dvb_parse_descriptors(parms, p, d->descriptor_length, &vct->descriptor); } -- 2.7.4