Mailing List archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[vdr] Re: Nasty bug in StillPicture()
On Wednesday 15 October 2003 01:53, Oliver Endriss wrote:
> [patched patch]
Ok, let's do it the right way...
Added a range check to avoid writing beyond end of buffer, if the length
field is invalid for some reason (for example due to corrupted stream):
--- dvbdevice.c.org Sat Sep 6 15:19:33 2003
+++ dvbdevice.c Wed Oct 15 02:07:24 2003
@@ -915,21 +915,29 @@ void cDvbDevice::StillPicture(const ucha
return;
int i = 0;
int blen = 0;
- while (i < Length - 4) {
- if (Data[i] == 0x00 && Data[i + 1] == 0x00 && Data[i + 2] == 0x01 && (Data[i + 3] & 0xF0) == 0xE0) {
- // skip PES header
- int offs = i + 6;
+ while (i < Length - 6) {
+ if (Data[i] == 0x00 && Data[i + 1] == 0x00 && Data[i + 2] == 0x01) {
int len = Data[i + 4] * 256 + Data[i + 5];
- // skip header extension
- if ((Data[i + 6] & 0xC0) == 0x80) {
- offs += 3;
- offs += Data[i + 8];
- len -= 3;
- len -= Data[i + 8];
+ if ((Data[i + 3] & 0xF0) == 0xE0) { // video packet
+ // skip PES header
+ int offs = i + 6;
+ // skip header extension
+ if ((Data[i + 6] & 0xC0) == 0x80) {
+ offs += 3;
+ offs += Data[i + 8];
+ len -= 3;
+ len -= Data[i + 8];
+ }
+ if (blen+len > Length) // invalid PES length field
+ break;
+ memcpy(&buf[blen], &Data[offs], len);
+ i = offs + len;
+ blen += len;
}
- memcpy(&buf[blen], &Data[offs], len);
- i = offs + len;
- blen += len;
+ else if (Data[i + 3] >= 0xBD && Data[i + 3] <= 0xDF) // other PES packets
+ i += len+6;
+ else
+ i++;
}
else
i++;
Oliver
--
Info:
To unsubscribe send a mail to ecartis@linuxtv.org with "unsubscribe vdr" as subject.
Home |
Main Index |
Thread Index