[mythtv] Patch to avoid crash in 'ShortVirtualChannelTable' parsing

Douglas Paul doug at bogon.ca
Mon Jan 20 18:24:14 UTC 2020


Hello,

I have been sitting on this patch for a little while -- forgot about it
completely to be honest.

In the last year, one of my local ATSC channels apparently changed
something in their systems. Previously, on their channel, they
broadcast two streams on separate subchannels -- one 1080i/30 the other
480i/30.

They made a change to remove the 480i subchannel. In addition, their HD
stream now changes frequently between 10801/30 and 1080p/24 (sometimes
every few seconds especially during commercials), probably due to some
detection in the source material. Broke some things in my transcode flow
but that's another subject ...

When they did this, it seems they kept sending the VCT for the other
subchannel, but it contained garbage data. This caused the parser to
overrun a buffer and crash. It was pretty systematic after tuning that
channel. 

I've attached a patch I have been using for a while to correct this
problem, and haven't had issues since. I'm not sure if it's reproducable
with the current signal they are broadcasting, but I could try if a
backtrace is desired.

If I remember correctly -- the crash occurred inside the MPEGDescriptor
class because the 'end' pointer was not supplied. When this is the case,
no bounds checking is done. There are other uses of the MPEGDescriptor
class, and conceivably any of them could crash when there is bad data if
the end pointer is not given in the constructor.

There also seems to be a case where the same pointer is pushed into the
m_ptrs list twice (when 'descriptors_included' is false), but I do not
run into this case. I'm not sure if this is a problem, since I did not
look into how this list is used.

I attempted to open a ticket for this, but for some reason the Trac site
does not like something to do with my GitHub login (I get an error
complaining about an invalid username or password after submitting the
form that is asking for my name to associate with my GitHub account).

Thanks,

-- 
Douglas Paul


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Prevent-buffer-read-overrun-on-corrupted-tables.patch
Type: text/x-diff
Size: 2244 bytes
Desc: not available
URL: <http://lists.mythtv.org/pipermail/mythtv-dev/attachments/20200120/e353235d/attachment.bin>


More information about the mythtv-dev mailing list