Permalink
Browse files

dsmcc: Prevent a potential SEGV by reading beyond end of buffer

Add a test to Dsmcc::ProcessSection to detect if the section length field
is greater than the actual buffer length.  This prevents the CRC
calculation from reading beyond the buffer and causing a SEGV.

Signed-off-by: Lawrence Rust <lvr@softsystem.co.uk>
Signed-off-by: Stuart Morgan <smorgan@mythtv.org>
  • Loading branch information...
Lawrence Rust authored and stuartm committed Oct 29, 2011
1 parent 383ada4 commit 0991f8e570277c4fc985f72314b0833708bf71d9
Showing with 7 additions and 0 deletions.
  1. +7 −0 mythtv/libs/libmythtv/dsmcc.cpp
@@ -499,6 +499,7 @@ void Dsmcc::ProcessSection(const unsigned char *data, int length,
// This will only happen at start-up
if (AddTap(componentTag, carouselId))
{
LOG(VB_DSMCC, LOG_INFO, QString("[dsmcc] Initial stream tag %1").arg(componentTag));
m_startTag = componentTag;
found = true;
}
@@ -516,6 +517,12 @@ void Dsmcc::ProcessSection(const unsigned char *data, int length,
unsigned short section_len = ((data[1] & 0xF) << 8) | (data[2]);
section_len += 3;/* 3 bytes before length count starts */
if (section_len > length)
{
LOG(VB_DSMCC, LOG_WARNING, "[dsmcc] section length > data length");
return;
}
/* Check CRC before trying to parse */
unsigned long crc32_decode = crc32(data, section_len);

0 comments on commit 0991f8e

Please sign in to comment.