libaacs | branch: master | Roland Fischer <na...@gmx.net> | Thu Dec 10 20:47:02 2015 +0100| [972679a52f6a38f08c0bd0ea5c8a0d4750d6a8e8] | committer: npzacs
mkb: Fix endless loop in _record In case of a corrupt file it could happen that len get 0 in _record and this results in an endless loop. Created an exit condition for this case and fixed related procedures too (they need to cope with the error-return-value from _record). Reason for change: https://github.com/OpenELEC/OpenELEC.tv/pull/4378 > http://git.videolan.org/gitweb.cgi/libaacs.git/?a=commit;h=972679a52f6a38f08c0bd0ea5c8a0d4750d6a8e8 --- src/libaacs/mkb.c | 46 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/src/libaacs/mkb.c b/src/libaacs/mkb.c index 275b269..4985c4d 100644 --- a/src/libaacs/mkb.c +++ b/src/libaacs/mkb.c @@ -52,6 +52,12 @@ static const uint8_t *_record(MKB *mkb, uint8_t type, size_t *rec_len) return mkb->buf + pos; } + if (len == 0) { + BD_DEBUG(DBG_MKB, "Couldn't retrieve MKB record 0x%02x - len=0 (%p)\n", type, + (void*)(mkb->buf + pos)); + break; + } + pos += len; } @@ -108,6 +114,10 @@ uint8_t mkb_type(MKB *mkb) { const uint8_t *rec = _record(mkb, 0x10, NULL); + if (!rec) { + return 0; + } + return MKINT_BE32(rec + 4); } @@ -115,6 +125,10 @@ uint32_t mkb_version(MKB *mkb) { const uint8_t *rec = _record(mkb, 0x10, NULL); + if (!rec) { + return 0; + } + return MKINT_BE32(rec + 8); } @@ -152,31 +166,49 @@ const uint8_t *mkb_drive_revokation_entries(MKB *mkb, size_t *len) const uint8_t *mkb_subdiff_records(MKB *mkb, size_t *len) { - const uint8_t *rec = _record(mkb, 0x04, len) + 4; - *len -= 4; + const uint8_t *rec = _record(mkb, 0x04, len); + + if (rec) { + rec += 4; + *len -= 4; + } return rec; } const uint8_t *mkb_cvalues(MKB *mkb, size_t *len) { - const uint8_t *rec = _record(mkb, 0x05, len) + 4; - *len -= 4; + const uint8_t *rec = _record(mkb, 0x05, len); + + if (rec) { + rec += 4; + *len -= 4; + } return rec; } const uint8_t *mkb_mk_dv(MKB *mkb) { - return _record(mkb, 0x81, NULL) + 4; + const uint8_t *rec = _record(mkb, 0x81, NULL); + + if (rec) { + rec += 4; + } + + return rec; } const uint8_t *mkb_signature(MKB *mkb, size_t *len) { const uint8_t *rec = _record(mkb, 0x02, len); - *len -= 4; - return rec + 4; + if (rec) { + rec += 4; + *len -= 4; + } + + return rec; } _______________________________________________ libaacs-devel mailing list libaacs-devel@videolan.org https://mailman.videolan.org/listinfo/libaacs-devel