From 373cf46421062ec28c01df380f8145554ddb59c6 Mon Sep 17 00:00:00 2001
From: Klaus Schmidinger <vdr@tvdr.de>
Date: Sun, 17 Sep 2000 15:23:05 +0200
Subject: Fixed a buffer overflow in EIT parsing

---
 eit.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'eit.c')

diff --git a/eit.c b/eit.c
index c86fecc5..d62c9025 100644
--- a/eit.c
+++ b/eit.c
@@ -13,7 +13,7 @@
  *   the Free Software Foundation; either version 2 of the License, or     *
  *   (at your option) any later version.                                   *
  *                                                                         *
- * $Id: eit.c 1.2 2000/09/17 08:02:30 kls Exp $
+ * $Id: eit.c 1.3 2000/09/17 15:23:05 kls Exp $
  ***************************************************************************/
 
 #include "eit.h"
@@ -308,11 +308,11 @@ char * cEIT::mjd2string(unsigned short mjd)
 /**  */
 int cEIT::GetEIT()
 {
-	unsigned char buf[1024];
+	unsigned char buf[4096+1]; // max. allowed size for any EIT section (+1 for safety ;-)
 	eit_t *eit;
 	struct eit_loop_struct1 *eitloop;
 	struct eit_short_event_descriptor_struct *eitevt;
-	int seclen;
+	unsigned int seclen;
 	unsigned short handle, pid;
 	eit_event * pevt = (eit_event *)0;
 	time_t tstart;
@@ -350,6 +350,8 @@ int cEIT::GetEIT()
 		seclen=(buf[6]<<8)|buf[7];
 		pid=(buf[4]<<8)|buf[5];
 	
+                if (seclen >= sizeof(buf))
+                   seclen = sizeof(buf) - 1;
 		read(fsvbi, buf, seclen);
 	
 		if (seclen < (int)(sizeof(eit_t)
-- 
cgit v1.2.3