[libaacs-devel] [PATCH] Fix endless loop in _record - V2

[Roland Fischer]

In case of a corrupt file it could happen that len get 0 in _record
and this results in an endless loop.
Created an exit condition for this case and fixed related
procedures too (they need to cope with the error-return-value
from _record).
Reason for change: https://github.com/OpenELEC/OpenELEC.tv/pull/4378
---
 src/libaacs/mkb.c | 46 +++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 39 insertions(+), 7 deletions(-)

diff --git a/src/libaacs/mkb.c b/src/libaacs/mkb.c
index 275b269..4985c4d 100644
--- a/src/libaacs/mkb.c
+++ b/src/libaacs/mkb.c
@@ -52,6 +52,12 @@ static const uint8_t *_record(MKB *mkb, uint8_t type, size_t 
*rec_len)
             return mkb->buf + pos;
         }
 
+        if (len == 0) {
+            BD_DEBUG(DBG_MKB, "Couldn't retrieve MKB record 0x%02x - len=0 
(%p)\n", type,
+                  (void*)(mkb->buf + pos));
+            break;
+        }
+
         pos += len;
     }
 
@@ -108,6 +114,10 @@ uint8_t mkb_type(MKB *mkb)
 {
     const uint8_t *rec = _record(mkb, 0x10, NULL);
 
+    if (!rec) {
+        return 0;
+    }
+
     return MKINT_BE32(rec + 4);
 }
 
@@ -115,6 +125,10 @@ uint32_t mkb_version(MKB *mkb)
 {
     const uint8_t *rec = _record(mkb, 0x10, NULL);
 
+    if (!rec) {
+        return 0;
+    }
+
     return MKINT_BE32(rec + 8);
 }
 
@@ -152,31 +166,49 @@ const uint8_t *mkb_drive_revokation_entries(MKB *mkb, 
size_t *len)
 
 const uint8_t *mkb_subdiff_records(MKB *mkb, size_t *len)
 {
-    const uint8_t *rec = _record(mkb, 0x04, len) + 4;
-    *len -= 4;
+    const uint8_t *rec = _record(mkb, 0x04, len);
+
+    if (rec) {
+        rec += 4;
+        *len -= 4;
+    }
 
     return rec;
 }
 
 const uint8_t *mkb_cvalues(MKB *mkb, size_t *len)
 {
-    const uint8_t *rec = _record(mkb, 0x05, len) + 4;
-    *len -= 4;
+    const uint8_t *rec = _record(mkb, 0x05, len);
+
+    if (rec) {
+        rec += 4;
+        *len -= 4;
+    }
 
     return rec;
 }
 
 const uint8_t *mkb_mk_dv(MKB *mkb)
 {
-    return _record(mkb, 0x81, NULL) + 4;
+    const uint8_t *rec = _record(mkb, 0x81, NULL);
+
+    if (rec) {
+        rec += 4;
+    }
+
+    return rec;
 }
 
 const uint8_t *mkb_signature(MKB *mkb, size_t *len)
 {
     const uint8_t *rec = _record(mkb, 0x02, len);
-    *len -= 4;
 
-    return rec + 4;
+    if (rec) {
+        rec += 4;
+        *len -= 4;
+    }
+
+    return rec;
 
 }
 
-- 
2.6.3.windows.1

_______________________________________________
libaacs-devel mailing list
libaacs-devel@videolan.org
https://mailman.videolan.org/listinfo/libaacs-devel