[libaacs-devel] [PATCH] Fix endless loop in _record

Wed, 09 Dec 2015 11:31:25 -0800 

In case of a corrupt file it could happen that len get 0 in _record
and this results in an endless loop.
Created an exit condition for this case and fixed related
procedures too (they need to cope with the error-return-value
from _record).
Reason for change: https://github.com/OpenELEC/OpenELEC.tv/pull/4378
---
 src/libaacs/mkb.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/libaacs/mkb.c b/src/libaacs/mkb.c
index 275b269..9de4beb 100644
--- a/src/libaacs/mkb.c
+++ b/src/libaacs/mkb.c
@@ -52,6 +52,12 @@ static const uint8_t *_record(MKB *mkb, uint8_t type, size_t 
*rec_len)
             return mkb->buf + pos;
         }
 
+        if (len == 0) {
+            BD_DEBUG(DBG_MKB, "Couldn't retrieved MKB record 0x%02x - len=0 
(%p)\n", type,
+                  (void*)(mkb->buf + pos));
+            break;
+        }
+
         pos += len;
     }
 
@@ -108,6 +114,10 @@ uint8_t mkb_type(MKB *mkb)
 {
     const uint8_t *rec = _record(mkb, 0x10, NULL);
 
+    if (!rec) {
+        return 0;
+    }
+
     return MKINT_BE32(rec + 4);
 }
 
@@ -115,6 +125,9 @@ uint32_t mkb_version(MKB *mkb)
 {
     const uint8_t *rec = _record(mkb, 0x10, NULL);
 
+    if (!rec) {
+        return 0;
+    }
     return MKINT_BE32(rec + 8);
 }
 
@@ -130,6 +143,9 @@ const uint8_t *mkb_host_revokation_entries(MKB *mkb, size_t 
*len)
 {
     const uint8_t *rec = _record(mkb, 0x21, len);
 
+    if (!rec) {
+        return NULL;
+    }
     if (rec) {
         rec += 4;
         *len -= 4;
@@ -142,6 +158,9 @@ const uint8_t *mkb_drive_revokation_entries(MKB *mkb, 
size_t *len)
 {
     const uint8_t *rec = _record(mkb, 0x20, len);
 
+    if (!rec) {
+        return NULL;
+    }
     if (rec) {
         rec += 4;
         *len -= 4;
@@ -153,6 +172,9 @@ const uint8_t *mkb_drive_revokation_entries(MKB *mkb, 
size_t *len)
 const uint8_t *mkb_subdiff_records(MKB *mkb, size_t *len)
 {
     const uint8_t *rec = _record(mkb, 0x04, len) + 4;
+    if (!rec) {
+        return NULL;
+    }
     *len -= 4;
 
     return rec;
@@ -161,6 +183,9 @@ const uint8_t *mkb_subdiff_records(MKB *mkb, size_t *len)
 const uint8_t *mkb_cvalues(MKB *mkb, size_t *len)
 {
     const uint8_t *rec = _record(mkb, 0x05, len) + 4;
+    if (!rec) {
+        return NULL;
+    }
     *len -= 4;
 
     return rec;
@@ -174,6 +199,9 @@ const uint8_t *mkb_mk_dv(MKB *mkb)
 const uint8_t *mkb_signature(MKB *mkb, size_t *len)
 {
     const uint8_t *rec = _record(mkb, 0x02, len);
+    if (!rec) {
+        return NULL;
+    }
     *len -= 4;
 
     return rec + 4;
-- 
2.6.3.windows.1

_______________________________________________
libaacs-devel mailing list
libaacs-devel@videolan.org
https://mailman.videolan.org/listinfo/libaacs-devel

Reply via email to