From: Jaroslav Kysela <perex@perex.cz>
Date: Mon, 26 Jan 2015 19:13:01 +0000 (+0100)
Subject: tvhcsa: fix the read after allocated memory valgrind error
X-Git-Tag: v4.1~418
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0515caa92f1822db2361a95142bd547e18180d94;p=thirdparty%2Ftvheadend.git

tvhcsa: fix the read after allocated memory valgrind error
---

diff --git a/src/descrambler/tvhcsa.c b/src/descrambler/tvhcsa.c
index ac4e13733..a10480f79 100644
--- a/src/descrambler/tvhcsa.c
+++ b/src/descrambler/tvhcsa.c
@@ -107,6 +107,8 @@ static void
 tvhcsa_des_descramble
   ( tvhcsa_t *csa, struct mpegts_service *s, const uint8_t *tsb )
 {
+  assert(csa->csa_fill >= 0 && csa->csa_fill < csa->csa_cluster_size);
+
 #if ENABLE_DVBCSA
   uint8_t *pkt;
   int xc0;
@@ -247,7 +249,10 @@ tvhcsa_init ( tvhcsa_t *csa )
 #else
   csa->csa_cluster_size  = get_suggested_cluster_size();
 #endif
-  csa->csa_tsbcluster    = malloc(csa->csa_cluster_size * 188);
+  /* Note: the optimized routines might read memory after last TS packet */
+  /*       allocate safe memory and fill it with zeros */
+  csa->csa_tsbcluster    = malloc((csa->csa_cluster_size + 1) * 188);
+  memset(csa->csa_tsbcluster + csa->csa_cluster_size * 188, 0, 188);
 #if ENABLE_DVBCSA
   csa->csa_tsbbatch_even = malloc((csa->csa_cluster_size + 1) *
                                    sizeof(struct dvbcsa_bs_batch_s));