[vdr] bug in channels.h?

Matthias Lenk matthias.lenk at AMD.com
Thu Jul 21 15:30:11 CEST 2005


Hi Udo,

I just wanted to add some details. That crash happened when watching DVB-T in 
Berlin and I had a special channels.conf that I do not find right now 
unfortunately. Also, it was not on an x86 platform so this might come into 
play as well.

Thanks,

Matthias

On Thursday 21 July 2005 15:13, Matthias Lenk wrote:
> Hi Udo,
>
> Thanks for the quick reply. I don't think that this is just cosmetic. I had
> a crash caused by this, not directly but indirectly, so I suggest to fix
> this.
>
> Thanks,
>
> Matthias
>
> On Thursday 21 July 2005 14:37, Udo Richter wrote:
> > Matthias Lenk wrote:
> > > I was experimenting with VDR 1.3.27 and DVB-T reception and found an
> > > issue in channels.h. The alangs member of the class cChannel has
> > > MAXAPIDS elements. But in channels.c line 447 an element with index
> > > MAXAPIDS can be accessed. But the max index is of course MAXAPIDS - 1.
> > > This can have weird effects, so I suggest to increase the number of
> > > elements to MAXAPIDS + 1. The same is true for dlangs member of the
> > > cChannels class.
> >
> > I agree. The ?pid lists are zero-terminated, so they are [MAX?PIDS + 1]
> > sized. The ?langs arrays are accessed in parallel, so they need to be
> > sized the same, just like in pat.c line 329.
> >
> > An alternative would be to rewrite the initializing loop in
> > cChannel::SetPids, because there is no need to copy the lang of the
> > terminating 0 pid. (the current loop always copies the whole array
> > instead of stopping at the terminating 0 pid)
> >
> > The bug is currently just cosmetic, because the only out-of-bounds write
> > access to alangs[MAXAPIDS] trashes dpids[0] which is overwritten in the
> > next step. Same happens for dlangs[MAXDPIDS] and spids[0], where spids
> > is generally un-used by now.
> >
> > Cheers,
> >
> > Udo




More information about the vdr mailing list