From 373cf46421062ec28c01df380f8145554ddb59c6 Mon Sep 17 00:00:00 2001 From: Klaus Schmidinger Date: Sun, 17 Sep 2000 15:23:05 +0200 Subject: [PATCH] Fixed a buffer overflow in EIT parsing --- HISTORY | 1 + eit.c | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/HISTORY b/HISTORY index d02a1cc7..9d10b647 100644 --- a/HISTORY +++ b/HISTORY @@ -193,3 +193,4 @@ Video Disk Recorder Revision History - If the name of the video directory used with the '-v' option had trailing slashes, the recording file names have been damaged. Trailing slashes are now silently removed. +- Fixed a buffer overflow in EIT parsing. diff --git a/eit.c b/eit.c index c86fecc5..d62c9025 100644 --- a/eit.c +++ b/eit.c @@ -13,7 +13,7 @@ * the Free Software Foundation; either version 2 of the License, or * * (at your option) any later version. * * * - * $Id: eit.c 1.2 2000/09/17 08:02:30 kls Exp $ + * $Id: eit.c 1.3 2000/09/17 15:23:05 kls Exp $ ***************************************************************************/ #include "eit.h" @@ -308,11 +308,11 @@ char * cEIT::mjd2string(unsigned short mjd) /** */ int cEIT::GetEIT() { - unsigned char buf[1024]; + unsigned char buf[4096+1]; // max. allowed size for any EIT section (+1 for safety ;-) eit_t *eit; struct eit_loop_struct1 *eitloop; struct eit_short_event_descriptor_struct *eitevt; - int seclen; + unsigned int seclen; unsigned short handle, pid; eit_event * pevt = (eit_event *)0; time_t tstart; @@ -350,6 +350,8 @@ int cEIT::GetEIT() seclen=(buf[6]<<8)|buf[7]; pid=(buf[4]<<8)|buf[5]; + if (seclen >= sizeof(buf)) + seclen = sizeof(buf) - 1; read(fsvbi, buf, seclen); if (seclen < (int)(sizeof(eit_t)