[linux-dvb] Re: Crashes in dvb_demux.c

To: Florian Schirmer <jolt@tuxbox.org>
Subject: [linux-dvb] Re: Crashes in dvb_demux.c
From: Emard <emard@softhome.net>
Date: Sun, 9 Feb 2003 19:46:42 +0100
Cc: linux-dvb@linuxtv.org
Content-disposition: inline
Content-transfer-encoding: 7bit
Content-type: text/plain; charset=us-ascii
In-reply-to: <009401c2d069$311ca6e0$0201a8c0@space.taytron.net>
References: <20030209172808.GA1071@emard> <009401c2d069$311ca6e0$0201a8c0@space.taytron.net>
Reply-to: emard@softhome.net
Sender: Emard <emard@localhost>
Sender: linux-dvb-bounce@linuxtv.org
User-agent: Mutt/1.3.28i

On Sun, Feb 09, 2003 at 07:29:31PM +0100, Florian Schirmer wrote:
> Hi,
> 
> >			if ((count>2) && // enough data to determine sec
> length?
> >			    ((sec->seclen = section_length(buf+p)) <=
> count)) {
> >				if (sec->seclen>4096) 
> 
> >buf+p contains 188 bytes or less (188-p), assuming p is positive.
> >
> >sec->seclen can contain up to 4096 bytes.
> 
> We'll check at the beginning (see above) wether sec->seclen is smaller that
> the payload bytes of buf+p. Only if that is true this code path will be
> used. (Section is smaller than a TS packet). At least this part looks safe
> to me ;-)

What if sec->seclen is already negative (-1) ? It can be -1 < count and 
also -1 < 4096, but would lead to infinite memcopy

Emard


-- 
Info:
To unsubscribe send a mail to listar@linuxtv.org with "unsubscribe linux-dvb" as subject.

Follow-Ups:
- [linux-dvb] AW: Re: Crashes in dvb_demux.c
  - From: "Florian Schirmer" <jolt@tuxbox.org>

References:
- [linux-dvb] Re: Crashes in dvb_demux.c
  - From: Emard <emard@softhome.net>
- [linux-dvb] AW: Re: Crashes in dvb_demux.c
  - From: "Florian Schirmer" <jolt@tuxbox.org>

Prev by Date: [linux-dvb] AW: Re: Crashes in dvb_demux.c
Next by Date: [linux-dvb] AW: Re: Crashes in dvb_demux.c
Previous by thread: [linux-dvb] AW: Re: Crashes in dvb_demux.c
Next by thread: [linux-dvb] AW: Re: Crashes in dvb_demux.c
Index(es):
- Date
- Thread

Home | Main Index | Thread Index