Commit 00500273 authored by Jean-Paul Saman's avatar Jean-Paul Saman

SIS: checking boundary (CID #138525, #138526)

parent ae0f924e
...@@ -466,10 +466,12 @@ static dvbpsi_sis_cmd_splice_insert_t * ...@@ -466,10 +466,12 @@ static dvbpsi_sis_cmd_splice_insert_t *
pos++; pos++;
p_cmd->i_splice_time.p_next = NULL; p_cmd->i_splice_time.p_next = NULL;
} }
if (!p_cmd->b_program_splice_flag) { if (!p_cmd->b_program_splice_flag) {
if (p_data[pos] * 2 + pos > i_length - pos)
goto error;
p_cmd->i_component_count = p_data[pos]; p_cmd->i_component_count = p_data[pos];
if (p_cmd->i_component_count * 2 + pos > i_length - pos)
p_cmd->i_component_count = i_length - pos;
i_needed += (!p_cmd->b_splice_immediate_flag) ? i_needed += (!p_cmd->b_splice_immediate_flag) ?
(p_cmd->i_component_count * (5 + 1) ) : (p_cmd->i_component_count * (5 + 1) ) :
...@@ -673,7 +675,7 @@ void dvbpsi_sis_sections_decode(dvbpsi_t* p_dvbpsi, dvbpsi_sis_t* p_sis, ...@@ -673,7 +675,7 @@ void dvbpsi_sis_sections_decode(dvbpsi_t* p_dvbpsi, dvbpsi_sis_t* p_sis,
while (p_section) while (p_section)
{ {
for (p_byte = p_section->p_payload_start + 3; for (p_byte = p_section->p_payload_start + 3;
p_byte < p_section->p_payload_end; ) p_byte + 14 < p_section->p_payload_end; )
{ {
p_sis->i_protocol_version = p_byte[3]; p_sis->i_protocol_version = p_byte[3];
p_sis->b_encrypted_packet = ((p_byte[4] & 0x80) == 0x80); p_sis->b_encrypted_packet = ((p_byte[4] & 0x80) == 0x80);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment