708decoder crashes on specific data:

[eugene.smirnov@…]

Hi guys, i recently found a problem in EIA708 decoder implementation, causing my programm to crash, please take a look at source code.

cc708decoder.cpp line 503 static int handle_cc_c2(CC708Reader* cc, uint service_num, int i) {

const int blk_size = cc->buf_size[service_num]; const int code = cc->buf[service_num][i+1];

so it accessing buffer at position i+1, while that function used as follows:

cc708decoder.cpp line 330

C2 code -- nothing in EIA-708-A

i = handle_cc_c2(cc, service_num, i+1);

For example handle_cc_c3 works fine, there is no extra i+1 in callee function

This looks like off by one issue, in my environment array was out of bound, cinse i've used stl vector instead of c++ arrays, probably dueto way of allocation buffer there never a crash in original code, but rather some inconsistence.

I'm attaching 708 data file that consist of 3*X bytes of CEA708 data. You can use it to check issue, if to feed decoder with type byte right shifted by 3

[Jim Stichnoth <jstichnoth@…>]

In 01adb0e5c1df0f5969727da5309e18a6fe649c4b/mythtv:

Error: Processor CommitTicketReference failed

GIT backend not available

[Jim Stichnoth]

I played about 12 hours of recordings from various TV stations, but none of them ever caused the handle_cc_c2() function to be called. Nonetheless, I agree that this does look like a legitimate bug. We can backport to 0.27 if anyone finds a video sample showing the problem.