Commit 680a990f authored by Jean-Paul Saman's avatar Jean-Paul Saman

dr_48: add boundary checking

parent 86d5fe68
...@@ -61,7 +61,7 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr( ...@@ -61,7 +61,7 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr(
/* Allocate memory */ /* Allocate memory */
dvbpsi_service_dr_t * p_decoded; dvbpsi_service_dr_t * p_decoded;
p_decoded = (dvbpsi_service_dr_t*)malloc(sizeof(dvbpsi_service_dr_t)); p_decoded = (dvbpsi_service_dr_t*)calloc(1, sizeof(dvbpsi_service_dr_t));
if (!p_decoded) if (!p_decoded)
return NULL; return NULL;
...@@ -73,6 +73,9 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr( ...@@ -73,6 +73,9 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr(
p_decoded->i_service_provider_name[0] = 0; p_decoded->i_service_provider_name[0] = 0;
p_decoded->i_service_name[0] = 0; p_decoded->i_service_name[0] = 0;
if (p_decoded->i_service_provider_name_length > 252)
p_decoded->i_service_provider_name_length = 252;
if (p_decoded->i_service_provider_name_length + 2 > p_descriptor->i_length) if (p_decoded->i_service_provider_name_length + 2 > p_descriptor->i_length)
return p_decoded; return p_decoded;
...@@ -87,6 +90,9 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr( ...@@ -87,6 +90,9 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr(
p_decoded->i_service_name_length = p_decoded->i_service_name_length =
p_descriptor->p_data[2+p_decoded->i_service_provider_name_length]; p_descriptor->p_data[2+p_decoded->i_service_provider_name_length];
if (p_decoded->i_service_name_length > 252)
p_decoded->i_service_name_length = 252;
if (p_decoded->i_service_provider_name_length + 3 + if (p_decoded->i_service_provider_name_length + 3 +
p_decoded->i_service_name_length > p_descriptor->i_length) p_decoded->i_service_name_length > p_descriptor->i_length)
return p_decoded; return p_decoded;
...@@ -105,10 +111,15 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr( ...@@ -105,10 +111,15 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr(
dvbpsi_descriptor_t * dvbpsi_GenServiceDr(dvbpsi_service_dr_t * p_decoded, dvbpsi_descriptor_t * dvbpsi_GenServiceDr(dvbpsi_service_dr_t * p_decoded,
bool b_duplicate) bool b_duplicate)
{ {
if (p_decoded->i_service_provider_name_length > 252)
p_decoded->i_service_provider_name_length = 252;
if (p_decoded->i_service_name_length > 252)
p_decoded->i_service_name_length = 252;
/* Create the descriptor */ /* Create the descriptor */
dvbpsi_descriptor_t * p_descriptor = dvbpsi_descriptor_t * p_descriptor =
dvbpsi_NewDescriptor(0x48, 3 + p_decoded->i_service_name_length + dvbpsi_NewDescriptor(0x48, 3 + p_decoded->i_service_name_length +
p_decoded->i_service_provider_name_length , NULL); p_decoded->i_service_provider_name_length, NULL);
if (!p_descriptor) if (!p_descriptor)
return NULL; return NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment