On Tue, Apr 18, 2017 at 12:54:52PM +0200, Tino Mettler wrote: > On Thu, Mar 30, 2017 at 17:13:34 -0300, Mauro Carvalho Chehab wrote: > > Hi Gregor, > > > > Em Wed, 29 Mar 2017 20:45:06 +0200 > > Gregor Jasny <gjasny@xxxxxxxxxxxxxx> escreveu: > > > > > Hello Mauro & list, > > > > > > could you please have a look at the dvbv5-scan crash report below? > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859008 > > > > > > Is there anything else you need to debug this? > > > > I'm able to reproduce it on a Debian machine here too, but so far, > > I was unable to discover what's causing it. I'll try to find some time > > to take a better look on it. > > Hi, > > can I help in some way to find the cause of crash? > > Regards, > Tino > Hi Mauro and Tino, with the patch below in addition to commit b514d615166bdc0901a4c71261b87db31e89f464 ("libdvbv5: T2 delivery descriptor: fix wrong size of bandwidth field") applied to v4l-utils 1.12.3 sources dvbv5-scan no longer segfaults for me. Manually replacing PID_24 with VIDEO_PID in the created dvb_channel.conf as described in a german DVB-T2 forum is required to make dvbv5-zap also record the video. Regards, Reinhard Subject: [PATCH] libdvbv5: fix T2 delivery descriptor parsing in dvb_desc_t2_delivery_init() Fix T2 delivery descriptor parsing by proper use of memcpy()/bswap16() on struct dvb_desc_t2_delivery *d, only skipping the cell_id instead of the remaining descriptor and using the correct d->tfs_flag check to avoid dvbv5-scan segfaults observed with the DVB-T2 HD service that was started in Germany. Signed-off-by: Reinhard Speyerer <rspmn@xxxxxxxx> --- lib/libdvbv5/descriptors/desc_t2_delivery.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/libdvbv5/descriptors/desc_t2_delivery.c b/lib/libdvbv5/descriptors/desc_t2_delivery.c index 56e8d43..3831ac1 100644 --- a/lib/libdvbv5/descriptors/desc_t2_delivery.c +++ b/lib/libdvbv5/descriptors/desc_t2_delivery.c @@ -40,7 +40,7 @@ int dvb_desc_t2_delivery_init(struct dvb_v5_fe_parms *parms, return -1; } if (desc_len < len2) { - memcpy(p, buf, len); + memcpy(d, buf, len); bswap16(d->system_id); if (desc_len != len) @@ -48,19 +48,23 @@ int dvb_desc_t2_delivery_init(struct dvb_v5_fe_parms *parms, return -2; } - memcpy(p, buf, len2); + memcpy(d, buf, len2); + bswap16(d->system_id); + bswap16(d->bitfield); p += len2; - len = desc_len - (p - buf); - memcpy(&d->centre_frequency, p, len); - p += len; + if (desc_len - (p - buf) < sizeof(uint16_t)) { + dvb_logwarn("T2 delivery descriptor is truncated"); + return -2; + } + p += sizeof(uint16_t); - if (d->tfs_flag) - d->frequency_loop_length = 1; - else { + if (d->tfs_flag) { d->frequency_loop_length = *p; p++; } + else + d->frequency_loop_length = 1; d->centre_frequency = calloc(d->frequency_loop_length, sizeof(*d->centre_frequency));
