cTS2PES::write_ipack infinite recursion

Message ID 494848F3.9060805@gmx.de
State New

Commit Message

Reinhard Nissl Dec. 17, 2008, 12:33 a.m. UTC

Reinhard Nissl schrieb:

>>> Is there a regular chance for you to reproduce this issue?
>>> I could send you a code fragment then which would store a
>>> reasonably sized fragment of the TS stream which would help me
>>> very much in solving this issue.
>> It hasn't happened again yet, and I don't think the chance is high that 
>> it will occur again, even during bad reception...
>> I have extracted the TS data that was passed to cRemux::Put from the 
>> coredump though (24440 bytes, I'll send it to you in a separate, private 
>> mail).
> Thanks for your efforts so far.
>> When I just feed this data to a pristine cRemux instance ('cRemux *remux 
>> = new cRemux(1023, 0, 0, 0, true); remux->Put(data, sizeof data);'), it 
>> doesn't trigger the bug however, so it depends on some state generated 
>> by earlier packets I probably can't access anymore.
>> When I hack cTS2PES::ts_to_pes to always set "done=true;" at the start 
>> of the function, write_ipack recurses in a similar fashion, though...
>> Maybe that helps... if you need earlier TS packets, maybe I could try to 
>> dump them from the ringbuffer...
> I would be glad if you could extract that data too ;-)

Please find attached the patch (should be compatible with 1.6.x
and 1.7.0) which fixes this issue.

The problem was, that "done" was set to true but not reset with
the next PES packet. Typically this is done when found reaches
plength + 6, or when found was at least 6. But in this case,
found was just 4 as the PES packet started near the end of an TS
packet. Then some TS packets were missing and the next one
started a new PES packet. But only found was reset to 0 while
done got stuck at true. Later on, this caused write_ipack() calls
with mpeg still being 0. In this case, send_ipack() didn't reset
count so that the recursive call to write_ipack() parsed ancient
data, leading to incorrect breakAt locations which made bite
negative. As a result, the recursive calls stepped forward and
backward on the same data forever.



--- ../vdr-1.7.0-patched/remux.c	2008-02-24 19:14:45.000000000 +0100
+++ remux.c	2008-12-17 00:33:16.000000000 +0100
@@ -2430,9 +2451,8 @@  void cTS2PES::ts_to_pes(const uint8_t *B
            dsyslog("PES packet shortened to %d bytes (expected: %d bytes)", found, plength + 6);
         plength = found - 6;
-        reset_ipack();
-     found = 0;
+     reset_ipack();
   uint8_t off = 0;