summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKlaus Schmidinger <vdr@tvdr.de>2000-09-17 15:23:05 +0200
committerKlaus Schmidinger <vdr@tvdr.de>2000-09-17 15:23:05 +0200
commit373cf46421062ec28c01df380f8145554ddb59c6 (patch)
tree358bd120079f32f9c0e93544b90e791697129330
parentd79dc06f6c1d3f98530314b3ae0528af0055bf59 (diff)
downloadvdr-373cf46421062ec28c01df380f8145554ddb59c6.tar.gz
vdr-373cf46421062ec28c01df380f8145554ddb59c6.tar.bz2
Fixed a buffer overflow in EIT parsing
-rw-r--r--HISTORY1
-rw-r--r--eit.c8
2 files changed, 6 insertions, 3 deletions
diff --git a/HISTORY b/HISTORY
index d02a1cc7..9d10b647 100644
--- a/HISTORY
+++ b/HISTORY
@@ -193,3 +193,4 @@ Video Disk Recorder Revision History
- If the name of the video directory used with the '-v' option had trailing
slashes, the recording file names have been damaged. Trailing slashes are
now silently removed.
+- Fixed a buffer overflow in EIT parsing.
diff --git a/eit.c b/eit.c
index c86fecc5..d62c9025 100644
--- a/eit.c
+++ b/eit.c
@@ -13,7 +13,7 @@
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
* *
- * $Id: eit.c 1.2 2000/09/17 08:02:30 kls Exp $
+ * $Id: eit.c 1.3 2000/09/17 15:23:05 kls Exp $
***************************************************************************/
#include "eit.h"
@@ -308,11 +308,11 @@ char * cEIT::mjd2string(unsigned short mjd)
/** */
int cEIT::GetEIT()
{
- unsigned char buf[1024];
+ unsigned char buf[4096+1]; // max. allowed size for any EIT section (+1 for safety ;-)
eit_t *eit;
struct eit_loop_struct1 *eitloop;
struct eit_short_event_descriptor_struct *eitevt;
- int seclen;
+ unsigned int seclen;
unsigned short handle, pid;
eit_event * pevt = (eit_event *)0;
time_t tstart;
@@ -350,6 +350,8 @@ int cEIT::GetEIT()
seclen=(buf[6]<<8)|buf[7];
pid=(buf[4]<<8)|buf[5];
+ if (seclen >= sizeof(buf))
+ seclen = sizeof(buf) - 1;
read(fsvbi, buf, seclen);
if (seclen < (int)(sizeof(eit_t)