Commit ba10fd85 authored by Gildas Bazin's avatar Gildas Bazin

* src/tables/sdt.c, src/descriptors/dr_48.c: added sanity checks for bad streams.

parent c0a8fcdb
/***************************************************************************** /*****************************************************************************
* dr_48.c * dr_48.c
* (c)2001-2002 VideoLAN * (c)2001-2002 VideoLAN
* $Id: dr_48.c,v 1.2 2003/07/25 20:20:40 fenrir Exp $ * $Id$
* *
* Authors: Arnaud de Bossoreille de Ribou <bozo@via.ecp.fr> * Authors: Arnaud de Bossoreille de Ribou <bozo@via.ecp.fr>
* Johan Bilien <jobi@via.ecp.fr> * Johan Bilien <jobi@via.ecp.fr>
...@@ -79,21 +79,37 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr( ...@@ -79,21 +79,37 @@ dvbpsi_service_dr_t * dvbpsi_DecodeServiceDr(
return NULL; return NULL;
} }
p_descriptor->p_decoded = (void*)p_decoded;
p_decoded->i_service_type = p_descriptor->p_data[0]; p_decoded->i_service_type = p_descriptor->p_data[0];
p_decoded->i_service_provider_name_length = p_descriptor->p_data[1]; p_decoded->i_service_provider_name_length = p_descriptor->p_data[1];
p_decoded->i_service_name_length = 0;
p_decoded->i_service_provider_name[0] = 0;
p_decoded->i_service_name[0] = 0;
if(p_decoded->i_service_provider_name_length + 2 > p_descriptor->i_length)
return p_decoded;
if(p_decoded->i_service_provider_name_length) if(p_decoded->i_service_provider_name_length)
memcpy(p_decoded->i_service_provider_name, memcpy(p_decoded->i_service_provider_name,
p_descriptor->p_data + 2, p_descriptor->p_data + 2,
p_decoded->i_service_provider_name_length); p_decoded->i_service_provider_name_length);
if(p_decoded->i_service_provider_name_length + 3 > p_descriptor->i_length)
return p_decoded;
p_decoded->i_service_name_length = p_decoded->i_service_name_length =
p_descriptor->p_data[2+p_decoded->i_service_provider_name_length]; p_descriptor->p_data[2+p_decoded->i_service_provider_name_length];
if(p_decoded->i_service_provider_name_length + 3 +
p_decoded->i_service_name_length > p_descriptor->i_length)
return p_decoded;
if(p_decoded->i_service_name_length) if(p_decoded->i_service_name_length)
memcpy(p_decoded->i_service_name, memcpy(p_decoded->i_service_name,
p_descriptor->p_data + 3 + p_decoded->i_service_provider_name_length, p_descriptor->p_data + 3 + p_decoded->i_service_provider_name_length,
p_decoded->i_service_name_length); p_decoded->i_service_name_length);
p_descriptor->p_decoded = (void*)p_decoded;
return p_decoded; return p_decoded;
} }
......
...@@ -466,7 +466,7 @@ void dvbpsi_DecodeSDTSections(dvbpsi_sdt_t* p_sdt, ...@@ -466,7 +466,7 @@ void dvbpsi_DecodeSDTSections(dvbpsi_sdt_t* p_sdt,
while(p_section) while(p_section)
{ {
for(p_byte = p_section->p_payload_start + 3; for(p_byte = p_section->p_payload_start + 3;
p_byte < p_section->p_payload_end;) p_byte + 4 < p_section->p_payload_end;)
{ {
uint16_t i_service_id = ((uint16_t)(p_byte[0]) << 8) | p_byte[1]; uint16_t i_service_id = ((uint16_t)(p_byte[0]) << 8) | p_byte[1];
int b_eit_schedule = (int)((p_byte[2] & 0x2) >> 1); int b_eit_schedule = (int)((p_byte[2] & 0x2) >> 1);
...@@ -477,9 +477,12 @@ void dvbpsi_DecodeSDTSections(dvbpsi_sdt_t* p_sdt, ...@@ -477,9 +477,12 @@ void dvbpsi_DecodeSDTSections(dvbpsi_sdt_t* p_sdt,
dvbpsi_sdt_service_t* p_service = dvbpsi_SDTAddService(p_sdt, dvbpsi_sdt_service_t* p_service = dvbpsi_SDTAddService(p_sdt,
i_service_id, b_eit_schedule, b_eit_present, i_service_id, b_eit_schedule, b_eit_present,
i_running_status, b_free_ca); i_running_status, b_free_ca);
/* Service descriptors */ /* Service descriptors */
p_byte += 5; p_byte += 5;
p_end = p_byte + i_length; p_end = p_byte + i_length;
if( p_end > p_section->p_payload_end ) break;
while(p_byte + 2 <= p_end) while(p_byte + 2 <= p_end)
{ {
uint8_t i_tag = p_byte[0]; uint8_t i_tag = p_byte[0];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment