From patchwork Fri Apr 29 23:53:17 2005
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jon Burgess <jburgess@uklinux.net>
X-Patchwork-Id: 11861
Received: from mail3.uklinux.net ([80.84.72.33])
	by www.linuxtv.org with esmtp (Exim 4.34) id 1DRfIS-0007or-AI
	for vdr@linuxtv.org; Sat, 30 Apr 2005 01:53:24 +0200
Received: from [192.168.1.247] (bts-0906.dialup.zetnet.co.uk
	[194.247.51.138])
	by mail3.uklinux.net (Postfix) with ESMTP id 41497409FBA
	for <vdr@linuxtv.org>; Fri, 29 Apr 2005 23:53:22 +0000 (UTC)
Message-ID: <4272C8ED.8000802@uklinux.net>
Date: Sat, 30 Apr 2005 00:53:17 +0100
From: Jon Burgess <jburgess@uklinux.net>
User-Agent: Mozilla Thunderbird 1.0.2-1.3.2 (X11/20050324)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: vdr@linuxtv.org
Subject: [vdr] [PATCH] dxr3plugin fix to prevent segv for some corrupt
	streams
X-BeenThere: vdr@linuxtv.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Klaus Schmidinger's VDR <vdr@linuxtv.org>
List-Id: Klaus Schmidinger's VDR <vdr.linuxtv.org>
List-Unsubscribe: <http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr>,
	<mailto:vdr-request@linuxtv.org?subject=unsubscribe>
List-Archive: <http://www.linuxtv.org/pipermail/vdr>
List-Post: <mailto:vdr@linuxtv.org>
List-Help: <mailto:vdr-request@linuxtv.org?subject=help>
List-Subscribe: <http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr>,
	<mailto:vdr-request@linuxtv.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2005 23:53:24 -0000
Status: O
X-Status: 
X-Keywords: 
X-UID: 1873

I tracked down a small problem in the dxr3pesframes code which was 
causing a segv to occur while trying to play some corrupted streams.

dxr3pesframe.c contains the following loop which is used to find the 
start of the first pes header:

   for (; pos + 9 < length && !IsPesHeader(pesArray.SubArray(pos, 4)); 
pos++);

With corrupted streams loop may reach the end of the buffer without 
finding a valid header and the subsequent code tries to decode the bogus 
header data often causing a segv. The patch detects this condition and 
causes the bad data to be dropped.

	Jon

--- dxr3/dxr3pesframe.c.~1.2.2.6.~	2005-04-29 23:58:25.000000000 +0100
+++ dxr3/dxr3pesframe.c	2005-04-30 00:00:03.000000000 +0100
@@ -44,6 +44,10 @@
 	if (length > 9)
 	{
 	    for (; pos + 9 < length && !IsPesHeader(pesArray.SubArray(pos, 4)); pos++);
+	    if (pos + 9 >= length) {
+                m_remainingLength = 0;
+                return m_bValid;
+            }
 	    m_pPesStart = pBuf + pos;
 
 	    if ((pesArray[pos + 6] & 0xC0) == 0x80