Commit c1ced46c authored by Dan Carpenter's avatar Dan Carpenter Committed by Mauro Carvalho Chehab

media: pvrusb2: Prevent a buffer overflow

The ctrl_check_input() function is called from pvr2_ctrl_range_check().
It's supposed to validate user supplied input and return true or false
depending on whether the input is valid or not.  The problem is that
negative shifts or shifts greater than 31 are undefined in C.  In
practice with GCC they result in shift wrapping so this function returns
true for some inputs which are not valid and this could result in a
buffer overflow:

    drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
    warn: uncapped user index 'names[val]'

The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
and the highest valid bit is BIT(4).

Fixes: 7fb20fa3 ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
parent bac87534
...@@ -666,6 +666,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp) ...@@ -666,6 +666,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp)
static int ctrl_check_input(struct pvr2_ctrl *cptr,int v) static int ctrl_check_input(struct pvr2_ctrl *cptr,int v)
{ {
if (v < 0 || v > PVR2_CVAL_INPUT_MAX)
return 0;
return ((1 << v) & cptr->hdw->input_allowed_mask) != 0; return ((1 << v) & cptr->hdw->input_allowed_mask) != 0;
} }
......
...@@ -50,6 +50,7 @@ ...@@ -50,6 +50,7 @@
#define PVR2_CVAL_INPUT_COMPOSITE 2 #define PVR2_CVAL_INPUT_COMPOSITE 2
#define PVR2_CVAL_INPUT_SVIDEO 3 #define PVR2_CVAL_INPUT_SVIDEO 3
#define PVR2_CVAL_INPUT_RADIO 4 #define PVR2_CVAL_INPUT_RADIO 4
#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO
enum pvr2_config { enum pvr2_config {
pvr2_config_empty, /* No configuration */ pvr2_config_empty, /* No configuration */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment