[linux-dvb] Re: Crashes in dvb_demux.c

[Ralph Metzler <rjkm@metzlerbros.de>]

Emard writes:
 > [1  <text/plain; us-ascii (7bit)>]
 > > I don't know exactly why it crashes for you (your dump rather
 > > points to an out of bounds *buf I think) but ts_pid() can only return values
 > > <=0x1fff. There should be no check needed.
 > 
 > Neither do I, but it might be gcc optimizer bug. 
 > ts_pid returns u16 value, and gcc during optimization might
 > have forgotten to extend it properly to 32 bits, what is 
 > required for index offset calculation.
 > Perhaps declaring it u32 ts_pid(u8 *buf) would be sufficient.

Did you test printing out the value when it is >0x1fff?
Does it really happen?

Your ksymoops dump in your last mail seems to indicate that the oops
occurs when the second TS byte (lower 8 bit of PID) is fetched.
It is not when pid2feed[] is referenced. 
Compare it to a disassembly of the demuxer object file.


 > If you don't believe it could crash for me, edit your vpeirq/fidbirq 
 > and use dmapos[whatever] != 0x47 check and also offset dma pointer 
 > few bytes in advance dmapointer = (dmapointer + 441) % TS_BUFLEN, to 
 > see this and all the other crashes in matter of minutes or even seconds, 
 > depending on the transponder activity.

Hmmm, the:

if (dmapos >= TS_BUFLEN)

in fidb/vpeirq should maybe be:

if (dmapos > TS_BUFLEN)
 
This might explain some of the errors you get.


Ralph



-- 
Info:
To unsubscribe send a mail to listar@linuxtv.org with "unsubscribe linux-dvb" as subject.