[vdr] Memory corruption in eit.c causes crash

[s.huelswitt@gmx.de (Stefan Huelswitt)]

Hi,
in the past I had several crashes of vdr. Most of the time, a
backtrace wasn't a great help, as most available pointer etc have
been corrupted. Several time the crash occured right at 05:00 in
the morning (this is the point were vdr cleans up the epg data).
This leads me to eit.c, but I didn't managed to fully understand
what is done there. No finally I can serve a usefull trace:

Core was generated by `/usr/local/bin/vdr -w 60 -l 3 -c /var/home/vdr -v /mnt/videodata -E /mnt/ram'.
Program terminated with signal 11, Segmentation fault.

(gdb) bt
#0  0x401c6c27 in memcpy () from /lib/libc.so.6
#1  0x401c0be9 in chunk_realloc () from /lib/libc.so.6
#2  0x401c0784 in realloc () from /lib/libc.so.6
#3  0x806f976 in strcpyrealloc__FPcPCc (dest=0x80e0090 "", 
    src=0x80f39d4 "Hÿ\025\bÌè\n\b`") at tools.c:70
#4  0x805962a in SetSubtitle__10cEventInfoPCc (this=0x80e2a48, 
    string=0x80f39d4 "Hÿ\025\bÌè\n\b`") at eit.c:306
#5  0x805a63f in ProcessEIT__4cEITPUc (this=0xbf7fea24, 
    buffer=0xbf7fea2c "Oð\235mÑí") at eit.c:805
#6  0x805ae49 in Action__12cSIProcessor (this=0x80d9a28) at eit.c:1005
#7  0x806ef7e in StartThread__7cThreadP7cThread (Thread=0x80d9a28)
    at thread.c:117
#8  0x4008bca3 in pthread_start_thread () from /lib/libpthread.so.0

(gdb) f 4
#4  0x805962a in SetSubtitle__10cEventInfoPCc (this=0x80e2a48, 
    string=0x80f39d4 "Hÿ\025\bÌè\n\b`") at eit.c:306
306        pSubtitle = strcpyrealloc(pSubtitle, string);
(gdb) info locals
this = (cEventInfo *) 0x80e2a48
string = 0xfffffffc <Address 0xfffffffc out of bounds>
(gdb) f 5
#5  0x805a63f in ProcessEIT__4cEITPUc (this=0xbf7fea24, 
    buffer=0xbf7fea2c "Oð\235mÑí") at eit.c:805
805                  pEvent->SetSubtitle(VdrProgramInfo->ShortText);
(gdb) info locals
buffer = (unsigned char *) 0xfffffffc <Address 0xfffffffc out of bounds>
pEvent = (cEventInfo *) 0x80e2a48
rEvent = (cEventInfo *) 0x0
pSchedule = (cSchedule *) 0x80dc010
rSchedule = (cSchedule *) 0x80edd78
VdrProgramInfos = (LIST *) 0xfffffffc
VdrProgramInfo = (VdrProgramInfo *) 0x80f396c

(gdb) print VdrProgramInfo           
$10 = (VdrProgramInfo *) 0x80f396c
(gdb) print VdrProgramInfo->ShortName
$11 = 0x2d2e7473 <Address 0x2d2e7473 out of bounds>
(gdb) print VdrProgramInfo->LanguageCode
$12 = "1688"
(gdb) print &VdrProgramInfo->LanguageCode
$13 = (char (*)[4]) 0x80f3992
(gdb) x/s 0x80f3992
0x80f3992:       "168800 (Best.-Nr. 387, Preis s. Programm-Magazin)"

At the first view I said, that VdrProgramInfo->LanguageCode has overun it's
size and corrupted the following pointers. But strangly the text
seems to start right in the middle. So I continued:

(gdb) print/a VdrProgramInfo
$1 = 0x80f396c
(gdb) x/8sb 0x80f396c
0x80f396c:       "`"
0x80f396e:       ""
0x80f396f:       ""
0x80f3970:       "Orderline D: 0180-5530000 A: 01-49168800 (Best.-Nr. 387, Preis s. Programm-Magazin)"
0x80f39c4:       ""
0x80f39c5:       "."
0x80f39c7:       ""
0x80f39c8:       "`"

Now I see that something has written a text to offset 4 of
VdrProgramInfo, which is struct NODE->Pred. Something real weird
has happen to the list chain.

Any ideas?

PS: core saved if further investigations needed.

-- 
Stefan Huelswitt
huels@iname.com  | http://home.pages.de/~nathan