[libdvbpsi-devel] Section CRC not being checked

Brad Bitterman bitter at vtilt.com
Thu Oct 3 18:01:46 CEST 2013


So I had a chance to test all the ATSC tables that are in libdvbpsi. I did make the change mentioned below to each table and attached a patch to this email.

I did find and issue with ETT parsing though. The function dvbpsi_atsc_DecodeETTSections causes a crash. It seems the memory for p_ett->p_etm_data is not being allocated. Also, the check for the p_ett->p_etm_data is wrong. It should be this:

 if (!p_ett->p_etm_data)
            abort();

I tried malloc'ing the memory and correcting the pointer check. When I do that I get an abort from libc free saying double free or corruption. Here is the stack trace:

#0  0x0000003908e35935 in raise () from /lib64/libc.so.6
#1  0x0000003908e370e8 in abort () from /lib64/libc.so.6
#2  0x0000003908e74e8b in __libc_message () from /lib64/libc.so.6
#3  0x0000003908e7c00e in _int_free () from /lib64/libc.so.6
#4  0x00007ffff7ddca91 in dvbpsi_DeletePSISections (p_section=0x7fffe80008c0) at psi.c:179
#5  0x00007ffff7deb992 in dvbpsi_atsc_GatherETTSections (p_dvbpsi=0x7ffff00008c0, p_decoder=0x7fffe8001910, p_section=0x7fffe80008c0)
    at tables/atsc_ett.c:403
#6  0x00007ffff7ddd17e in dvbpsi_Demux (p_dvbpsi=0x7ffff00008c0, p_section=0x7fffe80008c0) at demux.c:123
#7  0x00007ffff7ddc31e in dvbpsi_packet_push (p_dvbpsi=0x7ffff00008c0, p_data=0x7ffff75b5dd0 "GR\a\031") at dvbpsi.c:445
#8  0x0000000000403cff in ATSCServices::demuxCallback (stream=0x7ffff75b5dd0 "GR\a\031", size=188, privateData=0x7fffffffde70, args=0x0)
    at ATSCServices.cpp:172
#9  0x00000000004021fb in DemuxInterface::run (context=0x609060) at DemuxInterface.cpp:106
#10 0x0000003909607d14 in start_thread () from /lib64/libpthread.so.0
#11 0x0000003908ef168d in clone () from /lib64/libc.so.6


I'm not sure where to go from here in trying to debug it. I'm not actually using EITs and ETTs so its not a problem for me but might be for someone else in the future.

I can send you a capture of ETT TS packets that you can test with if you want me to.

Thanks,

Brad Bitterman
bitter at vtilt.com



On Oct 2, 2013, at 1:30 PM, Jean-Paul Saman <jpsaman at videolan.org> wrote:

> Brad,
> 
> On Wed, Oct 2, 2013 at 7:03 PM, Brad Bitterman <bitter at vtilt.com> wrote:
> The patch works.
> 
> On another note, in atsc_mgt.c I think there might be an issue in dvbpsi_AddSectionMGT. At line 387 there is a check to see if p_decoder->p_building_mgt gets created from the call to dvbpsi_atsc_NewMGT. The check is as follows:
> 
> if (p_decoder->p_building_mgt)
>          return false;
> 
> Shouldn't it be this:
> 
> if (!p_decoder->p_building_mgt)
>           return false;
> 
>  
> indeed, I quickly checked 2 other ATSC table  and they have the same problem.
> I guess it refers to all ATSC tables. Could you prepare a patch for all ATSC tables and properly test it?
> 
> I do not have ATSC sources, so cannot test.
> 
> Kind regards,
> 
> Jean-Paul Saman.
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/libdvbpsi-devel/attachments/20131003/70456668/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: atsc.patch
Type: application/octet-stream
Size: 4127 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/libdvbpsi-devel/attachments/20131003/70456668/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/libdvbpsi-devel/attachments/20131003/70456668/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.videolan.org/pipermail/libdvbpsi-devel/attachments/20131003/70456668/attachment.sig>


More information about the libdvbpsi-devel mailing list