From: Jaroslav Kysela <perex@perex.cz>
Date: Wed, 7 Jun 2017 05:58:01 +0000 (+0200)
Subject: descrambler: fix NULL dereference in descrambler_data_key_check()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=055e2f68d26d7b56555ec8b6ed60caf869fd500d;p=thirdparty%2Ftvheadend.git

descrambler: fix NULL dereference in descrambler_data_key_check()
---

diff --git a/src/descrambler/descrambler.c b/src/descrambler/descrambler.c
index 82c7c9add..d9559d700 100644
--- a/src/descrambler/descrambler.c
+++ b/src/descrambler/descrambler.c
@@ -160,7 +160,7 @@ static int
 descrambler_data_key_check(th_descrambler_runtime_t *dr, uint8_t key, int len)
 {
   th_descrambler_data_t *dd;
-  int off = 0;
+  int off = 0, l;
 
   if ((dd = TAILQ_FIRST(&dr->dr_queue)) == NULL)
     return 0;
@@ -168,16 +168,11 @@ descrambler_data_key_check(th_descrambler_runtime_t *dr, uint8_t key, int len)
     while (dd && dd->dd_sbuf.sb_data == NULL)
       dd = TAILQ_NEXT(dd, dd_link);
     if (dd == NULL) break;
-    if (dd->dd_sbuf.sb_ptr <= off) {
-      dd = TAILQ_NEXT(dd, dd_link);
-      if (dd == NULL)
+    l = dd->dd_sbuf.sb_ptr;
+    for (off = 0; off < l && len > 0; off += 128, l -= 128)
+      if ((dd->dd_sbuf.sb_data[off + 3] & 0xc0) != key)
         return 0;
-      off = 0;
-    }
-    if ((dd->dd_sbuf.sb_data[off + 3] & 0xc0) != key)
-      return 0;
-    off += 188;
-    len -= 188;
+    dd = TAILQ_NEXT(dd, dd_link);
   }
   return 1;
 }