[vdr] PMT in multiple TS packet bug

Alexw alexw at undercover.mine.nu
Mon Jan 19 10:44:18 CET 2009


Hi Klaus,

I have noticed a PMT parsing issue with VDR version 1.7.x. The bug is still 
present in version 1.7.3 but the behaviour is worst because it segfaults.

First I found out that 2 lines where added in the ParsePmt method.

     Data += Data[0] + 1; // this is the first packet

     Length -= Data[0] + 1;

At the moment I don't know exactly what is the meaning of this 2 operations.
The second line can result in a negative Length which is the reason of the 
segfault. 
Could you kindly explain the offset drift? In a single section PMT (99.9% of 
the time) Data[0] is always equal to 0 and we skip the first byte. Length is 
reduced by 1. I a multiple section stream Data[0] can be above 188. Trying to 
skip more than a section is not possible in the actual context.

I have done a quick and dirty hack to prevent the segfault:

--- remux.c_ori 2009-01-16 21:05:46.000000000 +0100
+++ remux.c     2009-01-17 13:34:17.000000000 +0100
@@ -361,6 +361,7 @@
   if (pmtSize == 0) {
      Data += Data[0] + 1; // this is the first packet
      Length -= Data[0] + 1;
+     if ( Length < 0 ) Length = 0;
      if (SectionLength(Data, Length) > Length) {
         if (Length <= int(sizeof(pmt))) {
            memcpy(pmt, Data, Length);


the second step will be to have the parsing of multiple section allowed. At 
the moment when the data size exceed the section size (max 4096), PMT cannot 
be parsed.


[2222] ERROR: can't parse PMT
[2222] ERROR: can't parse PMT
[2222] ERROR: can't parse PMT
[2222] ERROR: can't parse PMT
[2222] ERROR: can't parse PMT
[2222] ERROR: PMT section length too big (4176 byte)!
[2222] ERROR: can't parse PMT


Regards,

Alex




More information about the vdr mailing list