Commit 7ac95cf5 authored by Dan Carpenter's avatar Dan Carpenter Committed by Mauro Carvalho Chehab

[media] firewire: firedtv-avc: fix more potential buffer overflow

"program_info_length" is user controlled and can go up to 4095.  The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.

The " - 4" in the limit check is because we have 4 bytes more data to
add after the memcpy().

[mchehab@osg.samsung.com: as I merged the version 1 of the patch, I needed
 to rebase to apply just the differences between v1 and v2]
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
parent cf3b576d
...@@ -1157,7 +1157,7 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) ...@@ -1157,7 +1157,7 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
if (pmt_cmd_id != 1 && pmt_cmd_id != 4) if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, dev_err(fdtv->device,
"invalid pmt_cmd_id %d\n", pmt_cmd_id); "invalid pmt_cmd_id %d\n", pmt_cmd_id);
if (program_info_length > sizeof(c->operand) - write_pos) { if (program_info_length > sizeof(c->operand) - 4 - write_pos) {
ret = -EINVAL; ret = -EINVAL;
goto out; goto out;
} }
...@@ -1184,7 +1184,8 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) ...@@ -1184,7 +1184,8 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
dev_err(fdtv->device, "invalid pmt_cmd_id %d " dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id); "at stream level\n", pmt_cmd_id);
if (es_info_length > sizeof(c->operand) - write_pos) { if (es_info_length > sizeof(c->operand) - 4 -
write_pos) {
ret = -EINVAL; ret = -EINVAL;
goto out; goto out;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment