[libdvbpsi-devel] Fix length checks and use valid private data length in linkage descriptor
Daniel Kamil Kozar
git at videolan.org
Mon Aug 24 12:54:42 CEST 2015
libdvbpsi | branch: master | Daniel Kamil Kozar <dkk089 at gmail.com> | Sat Jul 18 00:52:18 2015 +0200| [f8906fb230e039ac19d0648b889b7d580014c826] | committer: Jean-Paul Saman
Fix length checks and use valid private data length in linkage descriptor
The shortest valid linkage descriptor contains 56 bits = 7 bytes of payload.
Since the maximum possible payload length is 253 bytes, this leaves 246 bytes
for private data, not 248.
Also, the length checks were changed in order to check the minimum possible
length of the descriptor with the given data, instead of checking maximum
lengths.
(cherry picked from commit 36836f6fec2211d86e62e507570ba7372392d4f6)
Signed-off-by: Jean-Paul Saman <jpsaman at videolan.org>
> http://git.videolan.org/gitweb.cgi/libdvbpsi.git/?a=commit;h=f8906fb230e039ac19d0648b889b7d580014c826
---
src/descriptors/dr_4a.c | 24 +++++++++++++++---------
src/descriptors/dr_4a.h | 2 +-
2 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/src/descriptors/dr_4a.c b/src/descriptors/dr_4a.c
index 590a122..da1b80e 100644
--- a/src/descriptors/dr_4a.c
+++ b/src/descriptors/dr_4a.c
@@ -39,6 +39,10 @@
#include "dr_4a.h"
+/* the smallest valid linkage descriptor consists of a transport_stream_id (16),
+ * original_network_id (16), service_id (16), and linkage_type (8). */
+#define DR_4A_MIN_SIZE 7
+
/*****************************************************************************
* dvbpsi_DecodeLinkageDr
*****************************************************************************/
@@ -53,23 +57,25 @@ dvbpsi_linkage_dr_t* dvbpsi_DecodeLinkageDr(dvbpsi_descriptor_t * p_descriptor)
return p_descriptor->p_decoded;
/* Check the length */
+ if (p_descriptor->i_length < DR_4A_MIN_SIZE)
+ return NULL;
+
int handover_type = 0, origin_type = 0;
if (p_descriptor->p_data[6] == 0x08)
{
+ if (p_descriptor->i_length < DR_4A_MIN_SIZE + 1)
+ return NULL;
+
handover_type = p_descriptor->p_data[7] & 0xF0 >> 4;
origin_type = p_descriptor->p_data[7] & 0x01;
if ((( handover_type > 0 ) && ( handover_type < 4 )
- && ( origin_type == 0 ) && ( p_descriptor->i_length > 243 )) ||
+ && ( origin_type == 0 ) && ( p_descriptor->i_length < DR_4A_MIN_SIZE + 5 )) ||
(( handover_type > 0 ) && ( handover_type < 4 )
- && ( origin_type == 1 ) && ( p_descriptor->i_length > 245 )))
+ && ( origin_type == 1 ) && ( p_descriptor->i_length < DR_4A_MIN_SIZE + 3 )))
return NULL;
}
if (p_descriptor->p_data[6] == 0x0D &&
- p_descriptor->i_length > 245)
- return NULL;
- if (p_descriptor->p_data[6] != 0x08 &&
- p_descriptor->p_data[6] != 0x0D &&
- p_descriptor->i_length > 248)
+ p_descriptor->i_length < DR_4A_MIN_SIZE + 3)
return NULL;
/* Allocate memory */
@@ -123,8 +129,8 @@ dvbpsi_linkage_dr_t* dvbpsi_DecodeLinkageDr(dvbpsi_descriptor_t * p_descriptor)
i = 10;
}
p_decoded->i_private_data_length = p_descriptor->i_length - i;
- if (p_decoded->i_private_data_length > 248)
- p_decoded->i_private_data_length = 248;
+ if (p_decoded->i_private_data_length > 246)
+ p_decoded->i_private_data_length = 246;
memcpy(p_decoded->i_private_data, &p_descriptor->p_data[i], p_decoded->i_private_data_length);
p_descriptor->p_decoded = (void*)p_decoded;
diff --git a/src/descriptors/dr_4a.h b/src/descriptors/dr_4a.h
index 168917e..805483b 100644
--- a/src/descriptors/dr_4a.h
+++ b/src/descriptors/dr_4a.h
@@ -80,7 +80,7 @@ typedef struct dvbpsi_linkage_dr_s
uint8_t i_private_data_length; /*!< length of the i_private_data
array */
- uint8_t i_private_data[248]; /*!< private data */
+ uint8_t i_private_data[246]; /*!< private data */
} dvbpsi_linkage_dr_t;
More information about the libdvbpsi-devel
mailing list