[vdr] Re: Coredump - vdr 1.3.9 at eit.c:205

To: vdr@linuxtv.org
Subject: [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
From: Klaus Schmidinger <Klaus.Schmidinger@cadsoft.de>
Date: Fri, 04 Jun 2004 23:22:51 +0200
Content-type: text/plain; charset=us-ascii
List-help: <mailto:ecartis@linuxtv.org?subject=help>
List-id: vdr <vdr.elisten>
List-owner: <mailto:listmaster@convergence.de>
List-post: <mailto:vdr@linuxtv.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:ecartis@linuxtv.org?subject=subscribe%20vdr>
List-unsubscribe: <mailto:ecartis@linuxtv.org?subject=unsubscribe%20vdr>
Organization: CadSoft Computer GmbH
References: <OF0D4C59E2.E08FE1D2-ONC1256EA9.0069A5F2-C1256EA9.006A0550@lindy.de> <40C0CE1B.6020209@lawatsch.at> <40C0D2A7.70407@lawatsch.at> <40C0DF8C.A7FF66F1@cadsoft.de> <40C0E3C9.50005@lawatsch.at>
Reply-to: vdr@linuxtv.org
Sender: vdr-bounce@linuxtv.org

Philip Lawatsch wrote:
> 
> Klaus Schmidinger wrote:
> 
> >
> > I'm having the same problem. It started at around 21:45 tonight.
> > For the moment I guess turning off the EPG scan helps somewhat.
> > Maybe some channel has f***ed up their EPG data, which maybe triggers
> > a bug in VDR.
> 
> Found the problem:
> 
> in eit.c around line 200:
> 
> if (ExtendedEventDescriptors) {
>              char
> buffer[ExtendedEventDescriptors->getMaximumTextLength(": ")];
> 
> pEvent->SetDescription(ExtendedEventDescriptors->getText(buffer, ": "));
> }
> 
> The size of the buffer is too small and a buffer overflow will overwrite
> the ShortEventDescriptor and a delete will crash the whole program.

So there is either a bug in libsi, or the ZDF transponder is sending
garbled EPG data.

> ExtendedEventDescriptors->getMaximumTextLength(": ") calculates a too
> small size in my case.
> 
> Changing this to about
> 
> ExtendedEventDescriptors->getMaximumTextLength(": ")*2 solves the problem.

Maybe using a fixed 4096 would be best here, because that's the absolute
maximum ExtendedEventDescriptors->getText() can return.

> Btw, two note (no offenses !), using auto variables as buffers is bad no
> matter what since you can screw the stack.
> 
> #2 fixed size buffers are bad anyway since for instance you have
> 
> if (ShortEventDescriptor) {
>   char buffer[256];
>              pEvent->SetTitle(ShortEventDescriptor->name.getText(buffer));
> 
> pEvent->SetShortText(ShortEventDescriptor->text.getText(buffer));
>              }
> 
> Whereas getText checks for a length > 4095 or alike.

Well, IIRC the Title and ShortText can by definition only be up to 256
bytes long (including the terminating 0). But of course we could use a

  char buffer[4096];

for both cases.

> This is a source of problems imo.
> 
> And, using auto variable arrays with a "dynamic" size is a g++ only
> feature, its not protable.

Since nobody has complained about this so far, I'd say we look into
this once it becomes an actual problem.

Thanks for your debugging work. I'll try to find out more about the actual
cause of the problem tomorrow (provided the ZDF transponder still sends
garbled data then). Right now my VDR is recording...

Klaus

Follow-Ups:
- [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
  - From: Philip Lawatsch <philip@lawatsch.at>

References:
- [vdr] Coredump - vdr 1.3.9 at eit.c:205
  - From: "Stefan Hagendorn" <stefan.hagendorn@lindy.cc>
- [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
  - From: Philip Lawatsch <philip@lawatsch.at>
- [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
  - From: Philip Lawatsch <philip@lawatsch.at>
- [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
  - From: Klaus Schmidinger <Klaus.Schmidinger@cadsoft.de>
- [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
  - From: Philip Lawatsch <philip@lawatsch.at>

Prev by Date: [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
Next by Date: [vdr] Re: DVB drivers in 2.6 kernel, VDR 1.3.8 and TT DVB-C2.1?
Previous by thread: [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
Next by thread: [vdr] Re: Coredump - vdr 1.3.9 at eit.c:205
Index(es):
- Date
- Thread

Home | Main Index | Thread Index