Re: dvb-tools: dvbv5-scan segfaults with DVB-T2 HD service that just started in Germany

[Reinhard Speyerer <rspmn@arcor.de>]

On Tue, Apr 18, 2017 at 12:54:52PM +0200, Tino Mettler wrote:
> On Thu, Mar 30, 2017 at 17:13:34 -0300, Mauro Carvalho Chehab wrote:
> > Hi Gregor,
> > 
> > Em Wed, 29 Mar 2017 20:45:06 +0200
> > Gregor Jasny <gjasny@googlemail.com> escreveu:
> > 
> > > Hello Mauro & list,
> > > 
> > > could you please have a look at the dvbv5-scan crash report below?
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859008
> > > 
> > > Is there anything else you need to debug this?
> > 
> > I'm able to reproduce it on a Debian machine here too, but so far,
> > I was unable to discover what's causing it. I'll try to find some time
> > to take a better look on it.
> 
> Hi,
> 
> can I help in some way to find the cause of crash?
> 
> Regards,
> Tino
> 

Hi Mauro and Tino,
with the patch below in addition to commit b514d615166bdc0901a4c71261b87db31e89f464
("libdvbv5: T2 delivery descriptor: fix wrong size of bandwidth field") applied
to v4l-utils 1.12.3 sources dvbv5-scan no longer segfaults for me.

Manually replacing PID_24 with VIDEO_PID in the created dvb_channel.conf
as described in a german DVB-T2 forum is required to make dvbv5-zap also
record the video.

Regards,
Reinhard

Subject: [PATCH] libdvbv5: fix T2 delivery descriptor parsing in dvb_desc_t2_delivery_init()

Fix T2 delivery descriptor parsing by proper use of memcpy()/bswap16()
on struct dvb_desc_t2_delivery *d, only skipping the cell_id instead of
the remaining descriptor and using the correct d->tfs_flag check
to avoid dvbv5-scan segfaults observed with the DVB-T2 HD service that 
was started in Germany.

Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
---
 lib/libdvbv5/descriptors/desc_t2_delivery.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/lib/libdvbv5/descriptors/desc_t2_delivery.c b/lib/libdvbv5/descriptors/desc_t2_delivery.c
index 56e8d43..3831ac1 100644
--- a/lib/libdvbv5/descriptors/desc_t2_delivery.c
+++ b/lib/libdvbv5/descriptors/desc_t2_delivery.c
@@ -40,7 +40,7 @@ int dvb_desc_t2_delivery_init(struct dvb_v5_fe_parms *parms,
 		return -1;
 	}
 	if (desc_len < len2) {
-		memcpy(p, buf, len);
+		memcpy(d, buf, len);
 		bswap16(d->system_id);
 
 		if (desc_len != len)
@@ -48,19 +48,23 @@ int dvb_desc_t2_delivery_init(struct dvb_v5_fe_parms *parms,
 
 		return -2;
 	}
-	memcpy(p, buf, len2);
+	memcpy(d, buf, len2);
+	bswap16(d->system_id);
+	bswap16(d->bitfield);
 	p += len2;
 
-	len = desc_len - (p - buf);
-	memcpy(&d->centre_frequency, p, len);
-	p += len;
+	if (desc_len - (p - buf) < sizeof(uint16_t)) {
+		dvb_logwarn("T2 delivery descriptor is truncated");
+		return -2;
+	}
+	p += sizeof(uint16_t);
 
-	if (d->tfs_flag)
-		d->frequency_loop_length = 1;
-	else {
+	if (d->tfs_flag) {
 		d->frequency_loop_length = *p;
 		p++;
 	}
+	else
+		d->frequency_loop_length = 1;
 
 	d->centre_frequency = calloc(d->frequency_loop_length,
 				     sizeof(*d->centre_frequency));