From 63ee17701a51ae721a1d0b4517783d3ffba35f74 Mon Sep 17 00:00:00 2001
From: Klaus Schmidinger <vdr@tvdr.de>
Date: Sun, 29 Dec 2013 17:20:22 +0100
Subject: [PATCH] Added a check to avoid a possible NULL pointer dereference in
 cCiSession::SendData()

---
 CONTRIBUTORS | 1 +
 HISTORY      | 4 +++-
 ci.c         | 5 +++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CONTRIBUTORS b/CONTRIBUTORS
index 655df998..2319ac92 100644
--- a/CONTRIBUTORS
+++ b/CONTRIBUTORS
@@ -2035,6 +2035,7 @@ Ville Skytt
  displayed
  for fixing some spellings in positioner.h and Doxyfile
  for changing '%a' to the POSIX compliant '%m' in all scanf() calls
+ for reporting a possible NULL pointer dereference in cCiSession::SendData()
 
 Steffen Beyer <cpunk@reactor.de>
  for fixing setting the colored button help after deleting a recording in case the next
diff --git a/HISTORY b/HISTORY
index 4620fcd1..2cd54297 100644
--- a/HISTORY
+++ b/HISTORY
@@ -8032,7 +8032,7 @@ Video Disk Recorder Revision History
   the last replayed recording (if any) by pressing Ok repeatedly in the Recordings
   menu.
 
-2013-12-28: Version 2.1.3
+2013-12-29: Version 2.1.3
 
 - Changed the return value of cPositioner::HorizonLongitude() to 0 in case the
   latitude of the antenna location is beyond +/-81 degrees.
@@ -8097,3 +8097,5 @@ Video Disk Recorder Revision History
 - cTSBuffer now provides the number of available bytes in its Get() function.
 - cDvbDevice::GetTSPacket() now calls CamSlot()->Decrypt() in order to allow CAM slots
   that can be freely assigned to any device access to the TS data stream.
+- Added a check to avoid a possible NULL pointer dereference in cCiSession::SendData()
+  (reported by Ville Skyttä).
diff --git a/ci.c b/ci.c
index 7fc39595..92aaf722 100644
--- a/ci.c
+++ b/ci.c
@@ -4,7 +4,7 @@
  * See the main source file 'vdr.c' for copyright information and
  * how to reach the author.
  *
- * $Id: ci.c 3.1 2013/12/28 11:57:51 kls Exp $
+ * $Id: ci.c 3.2 2013/12/29 15:51:08 kls Exp $
  */
 
 #include "ci.h"
@@ -403,7 +403,8 @@ void cCiSession::SendData(int Tag, int Length, const uint8_t *Data)
   *p++ =  Tag        & 0xFF;
   p = SetLength(p, Length);
   if (p - buffer + Length < int(sizeof(buffer))) {
-     memcpy(p, Data, Length);
+     if (Data)
+        memcpy(p, Data, Length);
      p += Length;
      tc->SendData(p - buffer, buffer);
      }