From a544a460997eaf64ed5b8669b982fddae038cde6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=96man?= <andreas@lonelycoder.com>
Date: Sun, 20 Dec 2009 22:22:13 +0000
Subject: [PATCH] Avoid ECM buffer overruns

---
 src/capmt.c | 5 ++++-
 src/cwc.c   | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/capmt.c b/src/capmt.c
index 788f1a30..9e42a8ab 100644
--- a/src/capmt.c
+++ b/src/capmt.c
@@ -112,7 +112,7 @@ typedef struct capmt_caid_ecm {
   /** last ecm size */
   uint32_t cce_ecmsize;
   /** last ecm buffer */
-  uint8_t  cce_ecm[256];
+  uint8_t  cce_ecm[4096];
   
   LIST_ENTRY(capmt_caid_ecm) cce_link;
 } capmt_caid_ecm_t;
@@ -411,6 +411,9 @@ capmt_table_input(struct th_descrambler *td, struct th_transport *t,
   capmt_transport_t *ct = (capmt_transport_t *)td;
   capmt_t *capmt = ct->ct_capmt;
 
+  if(len > 4096)
+    return;
+
   switch(data[0]) {
     case 0x80:
     case 0x81: 
diff --git a/src/cwc.c b/src/cwc.c
index 3b1c5e87..2802eb75 100644
--- a/src/cwc.c
+++ b/src/cwc.c
@@ -107,7 +107,7 @@ typedef struct cwc_transport {
   /**
    * Current ECM
    */
-  uint8_t ct_ecm[256];
+  uint8_t ct_ecm[4096];
   int ct_ecmsize;
 
   int ct_ecm_reply_pending; /* Waiting for a ECM reply */
@@ -1008,6 +1008,9 @@ cwc_table_input(struct th_descrambler *td, struct th_transport *t,
   uint16_t sid = t->tht_dvb_service_id;
   cwc_t *cwc = ct->ct_cwc;
 
+  if(len > 4096)
+    return;
+
   if(cwc->cwc_caid != st->st_caid)
     return;