Hello Mauro,
could you please take a look?
Thanks,
Gregor
On 3/30/17 9:36 PM, Frank Heckenbach wrote:
> I got the same problem, only on some channels though, e.g. ZDF using
> this input:
>
> [CH34]
> DELIVERY_SYSTEM = DVBT2
> FREQUENCY = 578000000
> BANDWIDTH_HZ = 8000000
> MODULATION = QAM/16
>
> *** Error in `dvbv5-scan': malloc(): memory corruption: 0x0000000000fe13c0 ***
>
> I did some debugging with gdb and valgrind (using the upstream
> version v4l-utils-1.12.3.tar.bz2 since I needed to recompile anyway
> to get debug info).
>
> I found an invalid access in descriptors/desc_t2_delivery.c:55
>
> memcpy(&d->centre_frequency, p, len);
>
> Before this, dvb_extension_descriptor_init had
>
> desc_type == 4 (T2_delivery_system_descriptor)
>
> and
>
> dvb_ext_descriptors[4].size == sizeof(struct dvb_desc_t2_delivery) (23)
>
> so it allocated only 23 bytes, but didn't change desc_len which was
> still 68, causing the overflow.
>
> Setting desc_len to 23 didn't help, but just allocating 68 bytes
> did:
>
> --- v4l-utils-1.12.3/lib/libdvbv5/descriptors/desc_extension.c
> +++ v4l-utils-1.12.3/lib/libdvbv5/descriptors/desc_extension.c
> @@ -149,7 +149,7 @@
> if (!size)
> size = desc_len;
>
> - ext->descriptor = calloc(1, size);
> + ext->descriptor = calloc(1, desc_len);
>
> if (init) {
> if (init(parms, p, ext, ext->descriptor) != 0)
>
> NOTE: This is probably not a proper fix, just a bandaid. Since
> scanning channels is mostly a one-off job, I'm happy now that I got
> my channels list and don't plan to invest more time resarching the
> issue.
>
