From d406be694d7ee0d5afa5450ab753225c8920a06b Mon Sep 17 00:00:00 2001 From: Klaus Schmidinger Date: Sat, 8 Mar 2014 15:08:30 +0100 Subject: Fixed a possible endless loop in cH264Parser::GetGolombUe() --- HISTORY | 4 +++- remux.c | 12 +++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/HISTORY b/HISTORY index 5dfce4f2..af9d478d 100644 --- a/HISTORY +++ b/HISTORY @@ -7870,7 +7870,7 @@ Video Disk Recorder Revision History and also to use the correct directory with --edit (the latter reported by Marko Mäkelä). -2014-02-27: Version 2.0.6 +2014-03-08: Version 2.0.6 - Updated 'sources.conf' (thanks to Antti Hartikainen). - cFont::CreateFont() now returns a dummy font in case there are no fonts installed. @@ -7900,3 +7900,5 @@ Video Disk Recorder Revision History deleted in a sub folder. - Fixed handling transfer mode on full featured DVB cards for encrypted channels that have no audio pid (reported by Christian Winkler). +- Fixed a possible endless loop in cH264Parser::GetGolombUe(), which caused recordings + on some HD channels to get stuck and resulted in buffer overflows. diff --git a/remux.c b/remux.c index 5906d365..20ea57af 100644 --- a/remux.c +++ b/remux.c @@ -4,7 +4,7 @@ * See the main source file 'vdr.c' for copyright information and * how to reach the author. * - * $Id: remux.c 2.75.1.3 2014/02/21 14:37:51 kls Exp $ + * $Id: remux.c 2.75.1.4 2014/03/08 15:08:30 kls Exp $ */ #include "remux.h" @@ -272,7 +272,7 @@ uchar cTsPayload::GetByte(void) if (data[index] == TS_SYNC_BYTE && index + TS_SIZE <= length) { // to make sure we are at a TS header start and drop incomplete TS packets at the end uchar *p = data + index; if (TsPid(p) == pid) { // only handle TS packets for the initial PID - if (numPacketsPid++ > MAX_TS_PACKETS_FOR_VIDEO_FRAME_DETECTION) + if (++numPacketsPid > MAX_TS_PACKETS_FOR_VIDEO_FRAME_DETECTION) return SetEof(); if (TsHasPayload(p)) { if (index > 0 && TsPayloadStart(p)) // checking index to not skip the very first TS packet @@ -1252,7 +1252,7 @@ uint32_t cH264Parser::GetBits(int Bits) uint32_t cH264Parser::GetGolombUe(void) { int z = -1; - for (int b = 0; !b; z++) + for (int b = 0; !b && z < 32; z++) // limiting z to no get stuck if GetBit() always returns 0 b = GetBit(); return (1 << z) - 1 + GetBits(z); } @@ -1288,8 +1288,10 @@ int cH264Parser::Parse(const uchar *Data, int Length, int Pid) case nutAccessUnitDelimiter: ParseAccessUnitDelimiter(); gotAccessUnitDelimiter = true; break; - case nutSequenceParameterSet: ParseSequenceParameterSet(); - gotSequenceParameterSet = true; + case nutSequenceParameterSet: if (gotAccessUnitDelimiter) { + ParseSequenceParameterSet(); + gotSequenceParameterSet = true; + } break; case nutCodedSliceNonIdr: case nutCodedSliceIdr: if (gotAccessUnitDelimiter && gotSequenceParameterSet) { -- cgit v1.2.3