From a544a460997eaf64ed5b8669b982fddae038cde6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20=C3=96man?= Date: Sun, 20 Dec 2009 22:22:13 +0000 Subject: [PATCH] Avoid ECM buffer overruns --- src/capmt.c | 5 ++++- src/cwc.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/capmt.c b/src/capmt.c index 788f1a30..9e42a8ab 100644 --- a/src/capmt.c +++ b/src/capmt.c @@ -112,7 +112,7 @@ typedef struct capmt_caid_ecm { /** last ecm size */ uint32_t cce_ecmsize; /** last ecm buffer */ - uint8_t cce_ecm[256]; + uint8_t cce_ecm[4096]; LIST_ENTRY(capmt_caid_ecm) cce_link; } capmt_caid_ecm_t; @@ -411,6 +411,9 @@ capmt_table_input(struct th_descrambler *td, struct th_transport *t, capmt_transport_t *ct = (capmt_transport_t *)td; capmt_t *capmt = ct->ct_capmt; + if(len > 4096) + return; + switch(data[0]) { case 0x80: case 0x81: diff --git a/src/cwc.c b/src/cwc.c index 3b1c5e87..2802eb75 100644 --- a/src/cwc.c +++ b/src/cwc.c @@ -107,7 +107,7 @@ typedef struct cwc_transport { /** * Current ECM */ - uint8_t ct_ecm[256]; + uint8_t ct_ecm[4096]; int ct_ecmsize; int ct_ecm_reply_pending; /* Waiting for a ECM reply */ @@ -1008,6 +1008,9 @@ cwc_table_input(struct th_descrambler *td, struct th_transport *t, uint16_t sid = t->tht_dvb_service_id; cwc_t *cwc = ct->ct_cwc; + if(len > 4096) + return; + if(cwc->cwc_caid != st->st_caid) return;