Avoid ECM buffer overruns

This commit is contained in:
Andreas Öman 2009-12-20 22:22:13 +00:00
parent e886c4bac4
commit a544a46099
2 changed files with 8 additions and 2 deletions

View file

@ -112,7 +112,7 @@ typedef struct capmt_caid_ecm {
/** last ecm size */
uint32_t cce_ecmsize;
/** last ecm buffer */
uint8_t cce_ecm[256];
uint8_t cce_ecm[4096];
LIST_ENTRY(capmt_caid_ecm) cce_link;
} capmt_caid_ecm_t;
@ -411,6 +411,9 @@ capmt_table_input(struct th_descrambler *td, struct th_transport *t,
capmt_transport_t *ct = (capmt_transport_t *)td;
capmt_t *capmt = ct->ct_capmt;
if(len > 4096)
return;
switch(data[0]) {
case 0x80:
case 0x81:

View file

@ -107,7 +107,7 @@ typedef struct cwc_transport {
/**
* Current ECM
*/
uint8_t ct_ecm[256];
uint8_t ct_ecm[4096];
int ct_ecmsize;
int ct_ecm_reply_pending; /* Waiting for a ECM reply */
@ -1008,6 +1008,9 @@ cwc_table_input(struct th_descrambler *td, struct th_transport *t,
uint16_t sid = t->tht_dvb_service_id;
cwc_t *cwc = ct->ct_cwc;
if(len > 4096)
return;
if(cwc->cwc_caid != st->st_caid)
return;