mirrors/neutrino
1
0
Fork 0
mirror of https://github.com/tuxbox-neutrino/neutrino.git synced 2025-09-02 02:11:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

driver/genpsi.cpp: try to prevent buffer overflow

Browse Source
This commit is contained in:
[CST] Focus
2015-01-02 15:14:16 +03:00
parent 8f40f990fc
commit 8bac59eb33
1 changed files with 80 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
src/driver/genpsi.cpp
View File

@@ -24,8 +24,9 @@
#include <unistd.h> #include <unistd.h>
#include <driver/genpsi.h> #include <driver/genpsi.h>
#define SIZE_TS_PKT 188 #define SIZE_TS_PKT 188
#define OFS_HDR_2 5 #define TS_DATA_LEN 184
#define OFS_HDR_2 5
#define OFS_PMT_DATA 13 #define OFS_PMT_DATA 13
#define OFS_STREAM_TAB 17 #define OFS_STREAM_TAB 17
#define SIZE_STREAM_TAB_ROW 5 #define SIZE_STREAM_TAB_ROW 5
@@ -272,98 +273,103 @@ void CGenPsi::build_pmt(uint8_t* buffer)
buffer[0x1c] = 0x11; buffer[0x1c] = 0x11;
buffer[0x1d] = 0x01; buffer[0x1d] = 0x01;
buffer[0x1e] = 0xfe; buffer[0x1e] = 0xfe;
off = 0x1e; off = 0x1f;
// Audio streams // Audio streams
for (int index = 0; index < nba && index<10; index++) for (int index = 0; index < nba; index++)
{ {
buffer[++off] = (atypes[index]==1)? ES_TYPE_AC3 : ES_TYPE_MPA; if ((atypes[index] == 1) && (off >= (TS_DATA_LEN - 17)))
buffer[++off] = apid[index]>>8; break;
buffer[++off] = apid[index]&0xff; else if (off >= (TS_DATA_LEN - 11))
break;
buffer[off++] = (atypes[index]==1)? ES_TYPE_AC3 : ES_TYPE_MPA;
buffer[off++] = apid[index]>>8;
buffer[off++] = apid[index]&0xff;
if (atypes[index] == 1)//ES_TYPE_AC3 if (atypes[index] == 1)//ES_TYPE_AC3
{ {
buffer[++off] = 0xf0; buffer[off++] = 0xf0;
buffer[++off] = 0x0c; // es info length buffer[off++] = 0x0c; // es info length
buffer[++off] = 0x05; buffer[off++] = 0x05;
buffer[++off] = 0x04; buffer[off++] = 0x04;
buffer[++off] = 0x41; buffer[off++] = 0x41;
buffer[++off] = 0x43; buffer[off++] = 0x43;
buffer[++off] = 0x2d; buffer[off++] = 0x2d;
buffer[++off] = 0x33; buffer[off++] = 0x33;
} }
else else
{ {
buffer[++off] = 0xf0; buffer[off++] = 0xf0;
buffer[++off] = 0x06; // es info length buffer[off++] = 0x06; // es info length
} }
buffer[++off] = 0x0a; // iso639 descriptor tag buffer[off++] = 0x0a; // iso639 descriptor tag
buffer[++off] = 0x04; // descriptor length buffer[off++] = 0x04; // descriptor length
buffer[++off] = apid_lang[index][0]; buffer[off++] = apid_lang[index][0];
buffer[++off] = apid_lang[index][1]; buffer[off++] = apid_lang[index][1];
buffer[++off] = apid_lang[index][2]; buffer[off++] = apid_lang[index][2];
buffer[++off] = 0x00; // audio type buffer[off++] = 0x00; // audio type
} }
// eac3 audio // eac3 audio
for (int index=0; index<neac3 && index<10; index++) for (int index = 0; index < neac3 && off < (TS_DATA_LEN-18); index++)
{ {
buffer[++off] = 0x06;//pes private type; buffer[off++] = 0x06;//pes private type;
buffer[++off] = 0xE0 | eac3_pid[index]>>8; buffer[off++] = 0xE0 | eac3_pid[index]>>8;
buffer[++off] = eac3_pid[index] & 0xFF; buffer[off++] = eac3_pid[index] & 0xFF;
buffer[++off] = 0xF0; buffer[off++] = 0xF0;
buffer[++off] = 0x0d; // es info length buffer[off++] = 0x0d; // es info length
buffer[++off] = 0x52; buffer[off++] = 0x52;
buffer[++off] = 0x01; buffer[off++] = 0x01;
buffer[++off] = 0x5d; buffer[off++] = 0x5d;
buffer[++off] = 0x0a; // iso639 descriptor tag buffer[off++] = 0x0a; // iso639 descriptor tag
buffer[++off] = 0x04; // descriptor length buffer[off++] = 0x04; // descriptor length
buffer[++off] = eac3_lang[index][0]; //language code[0] buffer[off++] = eac3_lang[index][0]; //language code[0]
buffer[++off] = eac3_lang[index][1]; //language code[1] buffer[off++] = eac3_lang[index][1]; //language code[1]
buffer[++off] = eac3_lang[index][2]; //language code[2] buffer[off++] = eac3_lang[index][2]; //language code[2]
buffer[++off] = 0x01; buffer[off++] = 0x01;
buffer[++off] = 0x7a; //enhanced_AC-3_descriptor buffer[off++] = 0x7a; //enhanced_AC-3_descriptor
buffer[++off] = 0x02; buffer[off++] = 0x02;
buffer[++off] = 0x80; buffer[off++] = 0x80;
buffer[++off] = 0xc5; buffer[off++] = 0xc5;
} }
// Subtitle streams // Subtitle streams
for (int index = 0; index < nsub && index<10; index++) for (int index = 0; index < nsub && off < (TS_DATA_LEN-15); index++)
{ {
buffer[++off] = 0x06;//pes private type; buffer[off++] = 0x06;//pes private type;
buffer[++off] = dvbsubpid[index]>>8; buffer[off++] = dvbsubpid[index]>>8;
buffer[++off] = dvbsubpid[index]&0xff; buffer[off++] = dvbsubpid[index]&0xff;
buffer[++off] = 0xf0; buffer[off++] = 0xf0;
buffer[++off] = 0x0a; // es info length buffer[off++] = 0x0a; // es info length
buffer[++off] = 0x59; // DVB sub tag buffer[off++] = 0x59; // DVB sub tag
buffer[++off] = 0x08; // descriptor length buffer[off++] = 0x08; // descriptor length
buffer[++off] = dvbsublang[index][0]; buffer[off++] = dvbsublang[index][0];
buffer[++off] = dvbsublang[index][1]; buffer[off++] = dvbsublang[index][1];
buffer[++off] = dvbsublang[index][2]; buffer[off++] = dvbsublang[index][2];
buffer[++off] = 0x20; //subtitle_stream.subtitling_type buffer[off++] = 0x20; //subtitle_stream.subtitling_type
buffer[++off] = 0x01>>8; //composition_page_id buffer[off++] = 0x01>>8; //composition_page_id
buffer[++off] = 0x01&0xff; //composition_page_id buffer[off++] = 0x01&0xff; //composition_page_id
buffer[++off] = 0x01>>8; //ancillary_page_id buffer[off++] = 0x01>>8; //ancillary_page_id
buffer[++off] = 0x01&0xff; //ancillary_page_id buffer[off++] = 0x01&0xff; //ancillary_page_id
} }
// TeleText streams // TeleText streams
if(vtxtpid){ if(vtxtpid && off < (TS_DATA_LEN-15)) {
buffer[++off] = 0x06; //teletext stream type; buffer[off++] = 0x06; //teletext stream type;
buffer[++off] = 0xE0 | vtxtpid>>8; buffer[off++] = 0xE0 | vtxtpid>>8;
buffer[++off] = vtxtpid&0xff; buffer[off++] = vtxtpid&0xff;
buffer[++off] = 0xf0; buffer[off++] = 0xf0;
buffer[++off] = 0x0A; // ES_info_length buffer[off++] = 0x0A; // ES_info_length
buffer[++off] = 0x52; //DVB-DescriptorTag: 82 (0x52) [= stream_identifier_descriptor] buffer[off++] = 0x52; //DVB-DescriptorTag: 82 (0x52) [= stream_identifier_descriptor]
buffer[++off] = 0x01; // descriptor_length buffer[off++] = 0x01; // descriptor_length
buffer[++off] = 0x03; //component_tag buffer[off++] = 0x03; //component_tag
buffer[++off] = 0x56; // DVB teletext tag buffer[off++] = 0x56; // DVB teletext tag
buffer[++off] = 0x05; // descriptor length buffer[off++] = 0x05; // descriptor length
buffer[++off] = vtxtlang[0]; //language code[0] buffer[off++] = vtxtlang[0]; //language code[0]
buffer[++off] = vtxtlang[1]; //language code[1] buffer[off++] = vtxtlang[1]; //language code[1]
buffer[++off] = vtxtlang[2]; //language code[2] buffer[off++] = vtxtlang[2]; //language code[2]
buffer[++off] = (/*descriptor_magazine_number*/ 0x01 & 0x06) | ((/*descriptor_type*/ 0x01 << 3) & 0xF8); buffer[off++] = (/*descriptor_magazine_number*/ 0x01 & 0x06) | ((/*descriptor_type*/ 0x01 << 3) & 0xF8);
buffer[++off] = 0x00 ; //Teletext_page_number buffer[off++] = 0x00 ; //Teletext_page_number
} }
buffer[0x07] = off-3; // update section_length buffer[0x07] = off-3; // update section_length