Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12339 closed Bug Report - General (fixed)

708decoder crashes on specific data:

Reported by: eugene.smirnov@… Owned by: Jim Stichnoth
Priority: minor Milestone: 0.28
Component: MythTV - Captions Version: Master Head
Severity: medium Keywords:
Cc: Ticket locked: no

Description

Hi guys, i recently found a problem in EIA708 decoder implementation, causing my programm to crash, please take a look at source code.

cc708decoder.cpp line 503 static int handle_cc_c2(CC708Reader* cc, uint service_num, int i) {

const int blk_size = cc->buf_size[service_num]; const int code = cc->buf[service_num][i+1];

so it accessing buffer at position i+1, while that function used as follows:

cc708decoder.cpp line 330

C2 code -- nothing in EIA-708-A

i = handle_cc_c2(cc, service_num, i+1);

For example handle_cc_c3 works fine, there is no extra i+1 in callee function

This looks like off by one issue, in my environment array was out of bound, cinse i've used stl vector instead of c++ arrays, probably dueto way of allocation buffer there never a crash in original code, but rather some inconsistence.

I'm attaching 708 data file that consist of 3*X bytes of CEA708 data. You can use it to check issue, if to feed decoder with type byte right shifted by 3

Attachments (1)

video_track_with_cc.708 (40.5 KB) - added by anonymous 5 years ago.

Download all attachments as: .zip

Change History (4)

Changed 5 years ago by anonymous

Attachment: video_track_with_cc.708 added

comment:1 Changed 5 years ago by Jim Stichnoth

Component: MythTV - GeneralMythTV - Captions
Milestone: unknown0.27.5
Owner: set to Jim Stichnoth
Priority: majorminor
Status: newaccepted

comment:2 Changed 5 years ago by Jim Stichnoth <jstichnoth@…>

Resolution: fixed
Status: acceptedclosed

In 01adb0e5c1df0f5969727da5309e18a6fe649c4b/mythtv:

Subtitles: Fix off-by-one error in cc708 decoding. Fixes #12339.

comment:3 Changed 5 years ago by Jim Stichnoth

Milestone: 0.27.50.28

I played about 12 hours of recordings from various TV stations, but none of them ever caused the handle_cc_c2() function to be called. Nonetheless, I agree that this does look like a legitimate bug. We can backport to 0.27 if anyone finds a video sample showing the problem.

Note: See TracTickets for help on using tickets.