Details
-
Bug
-
Resolution: Fixed
-
Major
-
1.14.100
Description
<div><p>The following Teletext packet sequence causes a crash:</p>
<p>47 47 F0 36 8F 00 FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF 00 00 01 BD 00 28 85 80 24 27 AE 9B</p>
<p>C4 49 FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>47 47 F0 17 00 00 01 BD 01 6A ...</p>
<p> </p>
<p>The issue is that the PES packet header starting "00 00 01..." in the first TS packet above cannot be completely contained within that TS packet. I'm not certain if the specifications allow the header to overflow into the following TS packet. Regardless, the first byte in the next TS packet actually contains the start of a new PES packet. In other words: based on the PES packet length, 6 bytes are MIA.</p>
<p>The existing MP code actually detects the error condition, but still proceeds with processing the packet (!!!). Most if not all released versions of MP are probably affected.</p>
</div>
<p>47 47 F0 36 8F 00 FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF 00 00 01 BD 00 28 85 80 24 27 AE 9B</p>
<p>C4 49 FF FF FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>FF FF FF FF FF FF FF FF FF FF FF FF</p>
<p>47 47 F0 17 00 00 01 BD 01 6A ...</p>
<p> </p>
<p>The issue is that the PES packet header starting "00 00 01..." in the first TS packet above cannot be completely contained within that TS packet. I'm not certain if the specifications allow the header to overflow into the following TS packet. Regardless, the first byte in the next TS packet actually contains the start of a new PES packet. In other words: based on the PES packet length, 6 bytes are MIA.</p>
<p>The existing MP code actually detects the error condition, but still proceeds with processing the packet (!!!). Most if not all released versions of MP are probably affected.</p>
</div>
Attachments
Issue Links
- links to