[mythtv-commits] Ticket #12339: 708decoder crashes on specific data:

[MythTV]

#12339: 708decoder crashes on specific data:
--------------------------------------+-------------------------
     Reporter:  eugene.smirnov@…      |      Owner:
         Type:  Bug Report - General  |     Status:  new
     Priority:  major                 |  Milestone:  unknown
    Component:  MythTV - General      |    Version:  Master Head
     Severity:  medium                |   Keywords:
Ticket locked:  0                     |
--------------------------------------+-------------------------
 Hi guys, i recently found a problem in EIA708 decoder implementation,
 causing my programm to crash, please take a look at source code.

 cc708decoder.cpp line 503
 static int handle_cc_c2(CC708Reader* cc, uint service_num, int i)
 {
     const int blk_size = cc->buf_size[service_num];
     const int code = cc->buf[service_num][i+1];

 so it accessing buffer at position i+1, while that function used as
 follows:

 cc708decoder.cpp line 330
  // C2 code -- nothing in EIA-708-A
 i = handle_cc_c2(cc, service_num, i+1);

 For example handle_cc_c3 works fine, there is no extra i+1 in callee
 function

 This looks like off by one issue, in my environment array was out of
 bound, cinse i've used stl vector instead of c++ arrays, probably dueto
 way of allocation buffer there never a crash in original code, but rather
 some inconsistence.

 I'm attaching 708 data file that consist of 3*X bytes of CEA708 data. You
 can use it to check issue, if to feed decoder with type byte right shifted
 by 3

--
Ticket URL: <https://code.mythtv.org/trac/ticket/12339>
MythTV <http://www.mythtv.org>
MythTV Media Center