From patchwork Sun Apr 30 15:08:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Reinhard Speyerer X-Patchwork-Id: 9706131 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2C903602B5 for ; Sun, 30 Apr 2017 15:08:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1135327813 for ; Sun, 30 Apr 2017 15:08:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 028E528355; Sun, 30 Apr 2017 15:08:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CA53C27813 for ; Sun, 30 Apr 2017 15:08:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1426515AbdD3PIi (ORCPT ); Sun, 30 Apr 2017 11:08:38 -0400 Received: from mail-in-08.arcor-online.net ([151.189.21.48]:35279 "EHLO mail-in-08.arcor-online.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1426514AbdD3PIh (ORCPT ); Sun, 30 Apr 2017 11:08:37 -0400 Received: from mail-in-20-z2.arcor-online.net (mail-in-20-z2.arcor-online.net [151.189.8.85]) by mx.arcor.de (Postfix) with ESMTP id 3wG9tB6GdzzGVj4; Sun, 30 Apr 2017 17:08:34 +0200 (CEST) Received: from mail-in-08.arcor-online.net (mail-in-08.arcor-online.net [151.189.21.48]) by mail-in-20-z2.arcor-online.net (Postfix) with ESMTP id D2E686FAEB7; Sun, 30 Apr 2017 17:08:34 +0200 (CEST) X-Greylist: Passed host: 62.156.57.65 X-DKIM: Sendmail DKIM Filter v2.8.2 mail-in-08.arcor-online.net 3wG9t76MXZzGVj4 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1493564914; bh=ATBWOtlkbfM0GKEt8ybUF83nfNALB+veWMEZUElWiPU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=eOh/2u99/pQVZUlUPZcbGZQ72SjB8PnPtX3xbJi6UKicrNE1xxdshT8kOebsn5tDb gndsmEp2hWGbYFU+yJwQj4YBm+0mUkiZLp0mHKkQEHYQMNvI/Tw+rWF/rHib3QScaw jBCpeFQZk5qJmGuqu0ORdt4HyVi7Y/ZYwvPt4F+o= X-Greylist: Passed host: 62.156.57.65 X-Greylist: Passed host: 62.156.57.65 X-Greylist: Passed host: 62.156.57.65 X-Greylist: Passed host: 62.156.57.65 X-Greylist: Passed host: 62.156.57.65 Received: from arcor.de (unknown [62.156.57.65]) (Authenticated sender: rspeyerer@arcor.de) by mail-in-08.arcor-online.net (Postfix) with ESMTPA id 3wG9t76MXZzGVj4; Sun, 30 Apr 2017 17:08:30 +0200 (CEST) Date: Sun, 30 Apr 2017 17:08:22 +0200 From: Reinhard Speyerer To: Tino Mettler , Mauro Carvalho Chehab Cc: Gregor Jasny , 859008@bugs.debian.org, Linux Media Mailing List Subject: Re: dvb-tools: dvbv5-scan segfaults with DVB-T2 HD service that just started in Germany Message-ID: <20170430150822.GA1384@arcor.de> References: <149079515540.3615.11876491556658692986.reportbug@mac> <06f151f3-0037-dcd0-fc5a-522533f70a3e@googlemail.com> <20170329144227.zwrdtnnl4iuhgbkw@mac.home> <6bc7b007-cc0e-767d-5e2e-30e8d5bdff05@googlemail.com> <20170330171334.06c6135d@vento.lan> <20170418105452.GA10975@eazy.amigager.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20170418105452.GA10975@eazy.amigager.de> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Tue, Apr 18, 2017 at 12:54:52PM +0200, Tino Mettler wrote: > On Thu, Mar 30, 2017 at 17:13:34 -0300, Mauro Carvalho Chehab wrote: > > Hi Gregor, > > > > Em Wed, 29 Mar 2017 20:45:06 +0200 > > Gregor Jasny escreveu: > > > > > Hello Mauro & list, > > > > > > could you please have a look at the dvbv5-scan crash report below? > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859008 > > > > > > Is there anything else you need to debug this? > > > > I'm able to reproduce it on a Debian machine here too, but so far, > > I was unable to discover what's causing it. I'll try to find some time > > to take a better look on it. > > Hi, > > can I help in some way to find the cause of crash? > > Regards, > Tino > Hi Mauro and Tino, with the patch below in addition to commit b514d615166bdc0901a4c71261b87db31e89f464 ("libdvbv5: T2 delivery descriptor: fix wrong size of bandwidth field") applied to v4l-utils 1.12.3 sources dvbv5-scan no longer segfaults for me. Manually replacing PID_24 with VIDEO_PID in the created dvb_channel.conf as described in a german DVB-T2 forum is required to make dvbv5-zap also record the video. Regards, Reinhard Subject: [PATCH] libdvbv5: fix T2 delivery descriptor parsing in dvb_desc_t2_delivery_init() Fix T2 delivery descriptor parsing by proper use of memcpy()/bswap16() on struct dvb_desc_t2_delivery *d, only skipping the cell_id instead of the remaining descriptor and using the correct d->tfs_flag check to avoid dvbv5-scan segfaults observed with the DVB-T2 HD service that was started in Germany. Signed-off-by: Reinhard Speyerer --- lib/libdvbv5/descriptors/desc_t2_delivery.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/libdvbv5/descriptors/desc_t2_delivery.c b/lib/libdvbv5/descriptors/desc_t2_delivery.c index 56e8d43..3831ac1 100644 --- a/lib/libdvbv5/descriptors/desc_t2_delivery.c +++ b/lib/libdvbv5/descriptors/desc_t2_delivery.c @@ -40,7 +40,7 @@ int dvb_desc_t2_delivery_init(struct dvb_v5_fe_parms *parms, return -1; } if (desc_len < len2) { - memcpy(p, buf, len); + memcpy(d, buf, len); bswap16(d->system_id); if (desc_len != len) @@ -48,19 +48,23 @@ int dvb_desc_t2_delivery_init(struct dvb_v5_fe_parms *parms, return -2; } - memcpy(p, buf, len2); + memcpy(d, buf, len2); + bswap16(d->system_id); + bswap16(d->bitfield); p += len2; - len = desc_len - (p - buf); - memcpy(&d->centre_frequency, p, len); - p += len; + if (desc_len - (p - buf) < sizeof(uint16_t)) { + dvb_logwarn("T2 delivery descriptor is truncated"); + return -2; + } + p += sizeof(uint16_t); - if (d->tfs_flag) - d->frequency_loop_length = 1; - else { + if (d->tfs_flag) { d->frequency_loop_length = *p; p++; } + else + d->frequency_loop_length = 1; d->centre_frequency = calloc(d->frequency_loop_length, sizeof(*d->centre_frequency));