Avoid ECM buffer overruns
This commit is contained in:
Andreas Öman
parent
e886c4bac4
commit
a544a46099
2 changed files with 8 additions and 2 deletions
|
|
@ -112,7 +112,7 @@ typedef struct capmt_caid_ecm {
|
|||
/** last ecm size */
|
||||
uint32_t cce_ecmsize;
|
||||
/** last ecm buffer */
|
||||
uint8_t cce_ecm[256];
|
||||
uint8_t cce_ecm[4096];
|
||||
|
||||
LIST_ENTRY(capmt_caid_ecm) cce_link;
|
||||
} capmt_caid_ecm_t;
|
||||
|
|
@ -411,6 +411,9 @@ capmt_table_input(struct th_descrambler *td, struct th_transport *t,
|
|||
capmt_transport_t *ct = (capmt_transport_t *)td;
|
||||
capmt_t *capmt = ct->ct_capmt;
|
||||
|
||||
if(len > 4096)
|
||||
return;
|
||||
|
||||
switch(data[0]) {
|
||||
case 0x80:
|
||||
case 0x81:
|
||||
|
|
|
|||
|
|
@ -107,7 +107,7 @@ typedef struct cwc_transport {
|
|||
/**
|
||||
* Current ECM
|
||||
*/
|
||||
uint8_t ct_ecm[256];
|
||||
uint8_t ct_ecm[4096];
|
||||
int ct_ecmsize;
|
||||
|
||||
int ct_ecm_reply_pending; /* Waiting for a ECM reply */
|
||||
|
|
@ -1008,6 +1008,9 @@ cwc_table_input(struct th_descrambler *td, struct th_transport *t,
|
|||
uint16_t sid = t->tht_dvb_service_id;
|
||||
cwc_t *cwc = ct->ct_cwc;
|
||||
|
||||
if(len > 4096)
|
||||
return;
|
||||
|
||||
if(cwc->cwc_caid != st->st_caid)
|
||||
return;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue