From patchwork Sun Apr 30 15:08:22 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Reinhard Speyerer <rspmn@arcor.de>
X-Patchwork-Id: 41082
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.84_2)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1d4qSs-00050P-KC; Sun, 30 Apr 2017 15:08:46 +0000
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.84_2/mailfrontend-7) with esmtp
	id 1d4qSp-0007zr-35; Sun, 30 Apr 2017 17:08:46 +0200
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1426515AbdD3PIi (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Sun, 30 Apr 2017 11:08:38 -0400
Received: from mail-in-08.arcor-online.net ([151.189.21.48]:35279 "EHLO
	mail-in-08.arcor-online.net" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1426514AbdD3PIh (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Sun, 30 Apr 2017 11:08:37 -0400
Received: from mail-in-20-z2.arcor-online.net
	(mail-in-20-z2.arcor-online.net [151.189.8.85])
	by mx.arcor.de (Postfix) with ESMTP id 3wG9tB6GdzzGVj4;
	Sun, 30 Apr 2017 17:08:34 +0200 (CEST)
Received: from mail-in-08.arcor-online.net (mail-in-08.arcor-online.net
	[151.189.21.48])
	by mail-in-20-z2.arcor-online.net (Postfix) with ESMTP id D2E686FAEB7;
	Sun, 30 Apr 2017 17:08:34 +0200 (CEST)
X-Greylist: Passed host: 62.156.57.65
X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-08.arcor-online.net
	3wG9t76MXZzGVj4
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in;
	t=1493564914; bh=ATBWOtlkbfM0GKEt8ybUF83nfNALB+veWMEZUElWiPU=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	Content-Type:In-Reply-To;
	b=eOh/2u99/pQVZUlUPZcbGZQ72SjB8PnPtX3xbJi6UKicrNE1xxdshT8kOebsn5tDb
	gndsmEp2hWGbYFU+yJwQj4YBm+0mUkiZLp0mHKkQEHYQMNvI/Tw+rWF/rHib3QScaw
	jBCpeFQZk5qJmGuqu0ORdt4HyVi7Y/ZYwvPt4F+o=
X-Greylist: Passed host: 62.156.57.65
X-Greylist: Passed host: 62.156.57.65
X-Greylist: Passed host: 62.156.57.65
X-Greylist: Passed host: 62.156.57.65
X-Greylist: Passed host: 62.156.57.65
Received: from arcor.de (unknown [62.156.57.65])
	(Authenticated sender: rspeyerer@arcor.de)
	by mail-in-08.arcor-online.net (Postfix) with ESMTPA id
	3wG9t76MXZzGVj4; Sun, 30 Apr 2017 17:08:30 +0200 (CEST)
Date: Sun, 30 Apr 2017 17:08:22 +0200
From: Reinhard Speyerer <rspmn@arcor.de>
To: Tino Mettler <tino.mettler+debbugs@tikei.de>,
	Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Gregor Jasny <gjasny@googlemail.com>, 859008@bugs.debian.org,
	Linux Media Mailing List <linux-media@vger.kernel.org>
Subject: Re: dvb-tools: dvbv5-scan segfaults with DVB-T2 HD service that just
	started in Germany
Message-ID: <20170430150822.GA1384@arcor.de>
References: <149079515540.3615.11876491556658692986.reportbug@mac>
	<06f151f3-0037-dcd0-fc5a-522533f70a3e@googlemail.com>
	<20170329144227.zwrdtnnl4iuhgbkw@mac.home>
	<6bc7b007-cc0e-767d-5e2e-30e8d5bdff05@googlemail.com>
	<20170330171334.06c6135d@vento.lan>
	<20170418105452.GA10975@eazy.amigager.de>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20170418105452.GA10975@eazy.amigager.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
	Antispam-Data: 2017.4.30.150016
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report='
	MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05,
	BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0,
	BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DKIM_SIGNATURE 0,
	IN_REP_TO 0, LEGITIMATE_SIGNS 0, MSG_THREAD 0,
	MULTIPLE_REAL_RCPTS 0, REFERENCES 0, SINGLE_URI_IN_BODY 0,
	URI_WITH_PATH_ONLY 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0,
	__BOUNCE_NDR_SUBJ_EXEMPT 0, __CC_NAME 0,
	__CC_NAME_DIFF_FROM_ACC 0, __CC_REAL_NAMES 0, __CD 0,
	__CP_MEDIA_BODY 0, __CP_URI_IN_BODY 0, __CT 0,
	__CT_TEXT_PLAIN 0, __FORWARDED_MSG 0, __FRAUD_BODY_WEBMAIL 0,
	__FRAUD_WEBMAIL 0, __FROM_DOMAIN_IN_ANY_CC1 0,
	__FROM_DOMAIN_IN_RCPT 0, __HAS_CC_HDR 0, __HAS_FROM 0,
	__HAS_LIST_ID 0, __HAS_MSGID 0, __HAS_X_MAILING_LIST 0,
	__HTTPS_URI 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0,
	__MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_VERSION 0,
	__MULTIPLE_RCPTS_CC_X2 0, __NO_HTML_TAG_RAW 0, __REFERENCES 0,
	__SANE_MSGID 0,
	__SINGLE_URI_TEXT 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0,
	__TO_MALFORMED_2 0, __TO_NAME 0, __TO_NAME_DIFF_FROM_ACC 0,
	__TO_REAL_NAMES 0, __URI_IN_BODY 0, __URI_NOT_IMG 0,
	__URI_NO_WWW 0, __URI_NS , __URI_WITH_PATH 0, __USER_AGENT 0'

On Tue, Apr 18, 2017 at 12:54:52PM +0200, Tino Mettler wrote:
> On Thu, Mar 30, 2017 at 17:13:34 -0300, Mauro Carvalho Chehab wrote:
> > Hi Gregor,
> > 
> > Em Wed, 29 Mar 2017 20:45:06 +0200
> > Gregor Jasny <gjasny@googlemail.com> escreveu:
> > 
> > > Hello Mauro & list,
> > > 
> > > could you please have a look at the dvbv5-scan crash report below?
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859008
> > > 
> > > Is there anything else you need to debug this?
> > 
> > I'm able to reproduce it on a Debian machine here too, but so far,
> > I was unable to discover what's causing it. I'll try to find some time
> > to take a better look on it.
> 
> Hi,
> 
> can I help in some way to find the cause of crash?
> 
> Regards,
> Tino
> 

Hi Mauro and Tino,
with the patch below in addition to commit b514d615166bdc0901a4c71261b87db31e89f464
("libdvbv5: T2 delivery descriptor: fix wrong size of bandwidth field") applied
to v4l-utils 1.12.3 sources dvbv5-scan no longer segfaults for me.

Manually replacing PID_24 with VIDEO_PID in the created dvb_channel.conf
as described in a german DVB-T2 forum is required to make dvbv5-zap also
record the video.

Regards,
Reinhard

Subject: [PATCH] libdvbv5: fix T2 delivery descriptor parsing in dvb_desc_t2_delivery_init()

Fix T2 delivery descriptor parsing by proper use of memcpy()/bswap16()
on struct dvb_desc_t2_delivery *d, only skipping the cell_id instead of
the remaining descriptor and using the correct d->tfs_flag check
to avoid dvbv5-scan segfaults observed with the DVB-T2 HD service that 
was started in Germany.

Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
---
 lib/libdvbv5/descriptors/desc_t2_delivery.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/lib/libdvbv5/descriptors/desc_t2_delivery.c b/lib/libdvbv5/descriptors/desc_t2_delivery.c
index 56e8d43..3831ac1 100644
--- a/lib/libdvbv5/descriptors/desc_t2_delivery.c
+++ b/lib/libdvbv5/descriptors/desc_t2_delivery.c
@@ -40,7 +40,7 @@ int dvb_desc_t2_delivery_init(struct dvb_v5_fe_parms *parms,
 		return -1;
 	}
 	if (desc_len < len2) {
-		memcpy(p, buf, len);
+		memcpy(d, buf, len);
 		bswap16(d->system_id);
 
 		if (desc_len != len)
@@ -48,19 +48,23 @@ int dvb_desc_t2_delivery_init(struct dvb_v5_fe_parms *parms,
 
 		return -2;
 	}
-	memcpy(p, buf, len2);
+	memcpy(d, buf, len2);
+	bswap16(d->system_id);
+	bswap16(d->bitfield);
 	p += len2;
 
-	len = desc_len - (p - buf);
-	memcpy(&d->centre_frequency, p, len);
-	p += len;
+	if (desc_len - (p - buf) < sizeof(uint16_t)) {
+		dvb_logwarn("T2 delivery descriptor is truncated");
+		return -2;
+	}
+	p += sizeof(uint16_t);
 
-	if (d->tfs_flag)
-		d->frequency_loop_length = 1;
-	else {
+	if (d->tfs_flag) {
 		d->frequency_loop_length = *p;
 		p++;
 	}
+	else
+		d->frequency_loop_length = 1;
 
 	d->centre_frequency = calloc(d->frequency_loop_length,
 				     sizeof(*d->centre_frequency));