Opened 13 years ago
Closed 13 years ago
Last modified 13 years ago
#4918 closed defect (fixed)
can overrun fixed sized array _tsdata
Reported by: | Owned by: | Janne Grunau | |
---|---|---|---|
Priority: | trivial | Milestone: | 0.22 |
Component: | mythtv | Version: | head |
Severity: | low | Keywords: | |
Cc: | Ticket locked: | no |
Description
The array _tsdata is a fixed size of 4 in class TSHeader. But the member function AFCOffset() indexes it at 4. This means that if this function is called and the conditional evaluates true that the array will be overrun. I am pretty sure this is a typo and it should just be _tsdata[3] instead of 4.
Attachments (4)
Change History (7)
Changed 13 years ago by
Attachment: | libs_libmythtv_mpeg_tspacket.h-dont-overrun-_tsdata.2.patch added |
---|
comment:1 Changed 13 years ago by
Milestone: | unknown → 0.22 |
---|---|
Owner: | changed from Isaac Richards to Janne Grunau |
Priority: | minor → trivial |
Status: | new → accepted |
No, it's not an typo. It's correct to read the first byte after header which contains the adpation field length if the packet has one.
The function should be moved from TSHeader to TSPacket.
It won't cause problems since our TSPackets are continuous memory and the over read will give the correct value.
Changed 13 years ago by
Attachment: | libs_libmythtv_mpeg_tspacket.h-move-AFCOffset-to-TSPacket.patch added |
---|
Moves AFCOffset to TSPacket so that we don't have funny indexing of _tsdata
Changed 13 years ago by
Attachment: | libs_libmythtv_mpeg_tspacket.h-init-_tspayload.patch added |
---|
init tspayload in ctor (so it does not have uninitialized values)
Changed 13 years ago by
Attachment: | libs_libmythtv_mpeg_tspacket.h-comment-fixing.patch added |
---|
fix two spelling typos in the comments
comment:2 Changed 13 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
(In [17198]) Fixes #4918. Fixes type in comment.
Note on things that were not changed:
- 'iff' is short for 'if and only if' -- not a typo of 'if'
- TSHeader by itself is not a valid object, which is why we don't initialize the rest of the packet. I've added a comment.
- AFCOffset was explained earlier in the ticket, I've added a short comment to the code.
comment:3 Changed 13 years ago by
Thanks for following up. I appreciate it. It allows me to drop patching where possible (and unnecessary).
Changes indexing value from 4 to 3 since the array is only four entries big