From 539c0da85348b52534429bed7ff0a5ea24bbf00f Mon Sep 17 00:00:00 2001
From: Klaus Schmidinger <vdr@tvdr.de>
Date: Thu, 13 May 2010 14:39:41 +0200
Subject: Fixed a possible out of buffer memory access in case of bad TS data

---
 CONTRIBUTORS | 1 +
 HISTORY      | 2 ++
 remux.c      | 6 +++++-
 remux.h      | 5 +++--
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/CONTRIBUTORS b/CONTRIBUTORS
index ca12038d..b0603937 100644
--- a/CONTRIBUTORS
+++ b/CONTRIBUTORS
@@ -1094,6 +1094,7 @@ Rolf Ahrenberg <rahrenbe@cc.hut.fi>
  for keeping subtitles visible when pausing replay
  for suggesting to assign the source character 'I' to "IPTV"
  for fixing generating PMT language descriptors for multi language PIDs
+ for reporting a possible out of buffer memory access in case of bad TS data
 
 Ralf Klueber <ralf.klueber@vodafone.com>
  for reporting a bug in cutting a recording if there is only a single editing mark
diff --git a/HISTORY b/HISTORY
index 627bddc9..c5927e76 100644
--- a/HISTORY
+++ b/HISTORY
@@ -6451,3 +6451,5 @@ Video Disk Recorder Revision History
 - Fixed a crash when creating a new channel if the channel list is empty (reported
   by Halim Sahin).
 - Updated the Czech OSD texts (thanks to Radek Stastny).
+- Fixed a possible out of buffer memory access in case of bad TS data (reported
+  by Rolf Ahrenberg).
diff --git a/remux.c b/remux.c
index 3ac83dd7..80ebeb77 100644
--- a/remux.c
+++ b/remux.c
@@ -4,7 +4,7 @@
  * See the main source file 'vdr.c' for copyright information and
  * how to reach the author.
  *
- * $Id: remux.c 2.44 2010/04/18 13:40:20 kls Exp $
+ * $Id: remux.c 2.45 2010/05/13 14:16:56 kls Exp $
  */
 
 #include "remux.h"
@@ -663,6 +663,10 @@ void cTsToPes::PutTs(const uchar *Data, int Length)
   if (length + Length > size) {
      size = max(KILOBYTE(2), length + Length);
      data = (uchar *)realloc(data, size);
+     if (!data) {
+        Reset();
+        return;
+        }
      }
   memcpy(data + length, Data, Length);
   length += Length;
diff --git a/remux.h b/remux.h
index 1115c4ad..0b63d98b 100644
--- a/remux.h
+++ b/remux.h
@@ -4,7 +4,7 @@
  * See the main source file 'vdr.c' for copyright information and
  * how to reach the author.
  *
- * $Id: remux.h 2.24 2010/01/29 16:51:26 kls Exp $
+ * $Id: remux.h 2.25 2010/05/13 14:29:45 kls Exp $
  */
 
 #ifndef __REMUX_H
@@ -84,7 +84,8 @@ inline bool TsIsScrambled(const uchar *p)
 
 inline int TsPayloadOffset(const uchar *p)
 {
-  return (p[3] & TS_ADAPT_FIELD_EXISTS) ? p[4] + 5 : 4;
+  int o = (p[3] & TS_ADAPT_FIELD_EXISTS) ? p[4] + 5 : 4;
+  return o <= TS_SIZE ? o : TS_SIZE;
 }
 
 inline int TsGetPayload(const uchar **p)
-- 
cgit v1.2.3