[vdr] Nasty bug in StillPicture()

[s.huelswitt@gmx.de (Stefan Huelswitt)]

Hi,
while setting marks on my recordings I noticed that from time to
time VDR segfaults while moving the marks.

I tracked this down to bad parsing in
cDvbDevice::StillPicture(). If the Data field contains non-0xEx
packets these packets are scanned byte by byte. If the data of
e.g. a 0xC0 audio packet contains the sequence 00 00 01 ea, this
is misdetected as a video packet. In most cases this leads to an
overflow of the allocated buff.

Solution: skip detected PES packets in one jump.

Find the attached patch (without whitespace changes. Sorry
linenumbers may be off too).

Regards.

-- 
Stefan Huelswitt
huels@iname.com  | http://home.pages.de/~nathan
diff -ubN vdr-1.2.5-orig/dvbdevice.c vdr-1.2.5-ac3/dvbdevice.c
--- vdr-1.2.5-orig/dvbdevice.c	2003-09-06 15:19:33.000000000 +0200
+++ vdr-1.2.5-ac3/dvbdevice.c	2003-10-14 23:03:52.000000000 +0200
@@ -915,11 +1138,12 @@
         return;
      int i = 0;
      int blen = 0;
-     while (i < Length - 4) {
-           if (Data[i] == 0x00 && Data[i + 1] == 0x00 && Data[i + 2] == 0x01 && (Data[i + 3] & 0xF0) == 0xE0) {
+     while (i < Length - 6) {
+           if (Data[i] == 0x00 && Data[i + 1] == 0x00 && Data[i + 2] == 0x01) {
+              int len = Data[i + 4] * 256 + Data[i + 5];
+              if ((Data[i + 3] & 0xF0) == 0xE0) { // video packet
               // skip PES header
               int offs = i + 6;
-              int len = Data[i + 4] * 256 + Data[i + 5];
               // skip header extension
               if ((Data[i + 6] & 0xC0) == 0x80) {
                  offs += 3;
@@ -931,6 +1155,10 @@
               i = offs + len;
               blen += len;
               }
+              else { // other PES packets
+                 i += len+6;
+                 }
+              }
            else
               i++;
            }