[vdr] bug in channels.h?
matthias.lenk at amd.com
Thu Jul 21 15:13:04 CEST 2005
Thanks for the quick reply. I don't think that this is just cosmetic. I had a
crash caused by this, not directly but indirectly, so I suggest to fix this.
On Thursday 21 July 2005 14:37, Udo Richter wrote:
> Matthias Lenk wrote:
> > I was experimenting with VDR 1.3.27 and DVB-T reception and found an
> > issue in channels.h. The alangs member of the class cChannel has MAXAPIDS
> > elements. But in channels.c line 447 an element with index MAXAPIDS can
> > be accessed. But the max index is of course MAXAPIDS - 1. This can have
> > weird effects, so I suggest to increase the number of elements to
> > MAXAPIDS + 1. The same is true for dlangs member of the cChannels class.
> I agree. The ?pid lists are zero-terminated, so they are [MAX?PIDS + 1]
> sized. The ?langs arrays are accessed in parallel, so they need to be
> sized the same, just like in pat.c line 329.
> An alternative would be to rewrite the initializing loop in
> cChannel::SetPids, because there is no need to copy the lang of the
> terminating 0 pid. (the current loop always copies the whole array
> instead of stopping at the terminating 0 pid)
> The bug is currently just cosmetic, because the only out-of-bounds write
> access to alangs[MAXAPIDS] trashes dpids which is overwritten in the
> next step. Same happens for dlangs[MAXDPIDS] and spids, where spids
> is generally un-used by now.
More information about the vdr