Commit f8906fb2 authored by Daniel Kamil Kozar's avatar Daniel Kamil Kozar Committed by Jean-Paul Saman

Fix length checks and use valid private data length in linkage descriptor

The shortest valid linkage descriptor contains 56 bits = 7 bytes of payload.
Since the maximum possible payload length is 253 bytes, this leaves 246 bytes
for private data, not 248.

Also, the length checks were changed in order to check the minimum possible
length of the descriptor with the given data, instead of checking maximum
lengths.

(cherry picked from commit 36836f6fec2211d86e62e507570ba7372392d4f6)
Signed-off-by: Jean-Paul Saman's avatarJean-Paul Saman <jpsaman@videolan.org>
parent e2c39f11
......@@ -39,6 +39,10 @@
#include "dr_4a.h"
/* the smallest valid linkage descriptor consists of a transport_stream_id (16),
* original_network_id (16), service_id (16), and linkage_type (8). */
#define DR_4A_MIN_SIZE 7
/*****************************************************************************
* dvbpsi_DecodeLinkageDr
*****************************************************************************/
......@@ -53,23 +57,25 @@ dvbpsi_linkage_dr_t* dvbpsi_DecodeLinkageDr(dvbpsi_descriptor_t * p_descriptor)
return p_descriptor->p_decoded;
/* Check the length */
if (p_descriptor->i_length < DR_4A_MIN_SIZE)
return NULL;
int handover_type = 0, origin_type = 0;
if (p_descriptor->p_data[6] == 0x08)
{
if (p_descriptor->i_length < DR_4A_MIN_SIZE + 1)
return NULL;
handover_type = p_descriptor->p_data[7] & 0xF0 >> 4;
origin_type = p_descriptor->p_data[7] & 0x01;
if ((( handover_type > 0 ) && ( handover_type < 4 )
&& ( origin_type == 0 ) && ( p_descriptor->i_length > 243 )) ||
&& ( origin_type == 0 ) && ( p_descriptor->i_length < DR_4A_MIN_SIZE + 5 )) ||
(( handover_type > 0 ) && ( handover_type < 4 )
&& ( origin_type == 1 ) && ( p_descriptor->i_length > 245 )))
&& ( origin_type == 1 ) && ( p_descriptor->i_length < DR_4A_MIN_SIZE + 3 )))
return NULL;
}
if (p_descriptor->p_data[6] == 0x0D &&
p_descriptor->i_length > 245)
return NULL;
if (p_descriptor->p_data[6] != 0x08 &&
p_descriptor->p_data[6] != 0x0D &&
p_descriptor->i_length > 248)
p_descriptor->i_length < DR_4A_MIN_SIZE + 3)
return NULL;
/* Allocate memory */
......@@ -123,8 +129,8 @@ dvbpsi_linkage_dr_t* dvbpsi_DecodeLinkageDr(dvbpsi_descriptor_t * p_descriptor)
i = 10;
}
p_decoded->i_private_data_length = p_descriptor->i_length - i;
if (p_decoded->i_private_data_length > 248)
p_decoded->i_private_data_length = 248;
if (p_decoded->i_private_data_length > 246)
p_decoded->i_private_data_length = 246;
memcpy(p_decoded->i_private_data, &p_descriptor->p_data[i], p_decoded->i_private_data_length);
p_descriptor->p_decoded = (void*)p_decoded;
......
......@@ -80,7 +80,7 @@ typedef struct dvbpsi_linkage_dr_s
uint8_t i_private_data_length; /*!< length of the i_private_data
array */
uint8_t i_private_data[248]; /*!< private data */
uint8_t i_private_data[246]; /*!< private data */
} dvbpsi_linkage_dr_t;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment