[linux-dvb] Re: Crashes in dvb_demux.c

To: Ralph Metzler <rjkm@metzlerbros.de>
Subject: [linux-dvb] Re: Crashes in dvb_demux.c
From: Emard <emard@softhome.net>
Date: Sun, 9 Feb 2003 18:28:08 +0100
Cc: linux-dvb@linuxtv.org
Content-disposition: inline
Content-transfer-encoding: 7bit
Content-type: text/plain; charset=us-ascii
In-reply-to: <15942.30821.710249.786772@gargle.gargle.HOWL>
References: <20030209085226.GA1328@emard> <15942.19147.921111.378955@gargle.gargle.HOWL> <20030209140225.GA1750@emard> <15942.30821.710249.786772@gargle.gargle.HOWL>
Reply-to: emard@softhome.net
Sender: Emard <emard@localhost>
Sender: linux-dvb-bounce@linuxtv.org
User-agent: Mutt/1.3.28i

> Did you test printing out the value when it is >0x1fff?
> Does it really happen?

No, I haven't. That was my mistake and I fixed it but rest
of the crashes remain.

I don't know much about PES data structure but I know what
unix class stability code looks like.
 
> Your ksymoops dump in your last mail seems to indicate that the oops
> occurs when the second TS byte (lower 8 bit of PID) is fetched.
> It is not when pid2feed[] is referenced. 
> Compare it to a disassembly of the demuxer object file.

OK, you are right. I had wrong 'scrambler' of dmapos which,
at boundary condition delivered 188 bytes of of allocated range,
so I don't do that on last 1000 bytes. Now I'm using this:

       dmapos = saa7146_read(budget->dev, PCI_VDP3);
       dmapos -= (dmapos%188);
       if(dmapos < TS_BUFLEN-1000)
               dmapos += 441;
       dmapos %= TS_BUFLEN;


And the rest of crashes remained.

BTW, let's comment this code snippet from dvb_demux.c
having attention to value boundaries of memcopy commands:

static
int dvb_dmx_swfilter_section_packet(struct dvb_demux_feed *feed, const u8 *buf) 
{
< snip >

			sec->crc_val = ~0;

			if ((count>2) && // enough data to determine sec length?
			    ((sec->seclen = section_length(buf+p)) <= count)) {
				if (sec->seclen>4096) 
					return -1;

				demux->memcopy (feed, sec->secbuf, buf+p,
					       sec->seclen);

				sec->secbufp = sec->seclen;
				p += sec->seclen;
				count = 188 - p;

				dvb_dmx_swfilter_section_feed(feed);

				// filling bytes until packet end?
				if (count && buf[p]==0xff) 
					count=0;

			} else { // section continues to following TS packet
< snip >

buf+p contains 188 bytes or less (188-p), assuming p is positive.

sec->seclen can contain up to 4096 bytes. 

So from memory area of buf+p that is max. 188 bytes long,
there's a memcopy of up to 4096 bytes !!!

Besides, p, used as the pointer to buf has reasonable
values of max 188, but then it is being added with some value 
up to 4096 !!!

p += sec->seclen;

so in the following line count can become negative:

count = 188 - p;

... imagine what happens when negative count is used in a loop:

while(count)


Emard


-- 
Info:
To unsubscribe send a mail to listar@linuxtv.org with "unsubscribe linux-dvb" as subject.

Follow-Ups:
- [linux-dvb] AW: Re: Crashes in dvb_demux.c
  - From: "Florian Schirmer" <jolt@tuxbox.org>

References:
- [linux-dvb] Crashes in dvb_demux.c
  - From: Emard <emard@softhome.net>
- [linux-dvb] Crashes in dvb_demux.c
  - From: Ralph Metzler <rjkm@metzlerbros.de>
- [linux-dvb] Re: Crashes in dvb_demux.c
  - From: Emard <emard@softhome.net>
- [linux-dvb] Re: Crashes in dvb_demux.c
  - From: Ralph Metzler <rjkm@metzlerbros.de>

Prev by Date: [linux-dvb] Re: AW: AW: mplayer divx rendering
Next by Date: [linux-dvb] AW: Re: Crashes in dvb_demux.c
Previous by thread: [linux-dvb] Re: Crashes in dvb_demux.c
Next by thread: [linux-dvb] AW: Re: Crashes in dvb_demux.c
Index(es):
- Date
- Thread

Home | Main Index | Thread Index