libdvbv5: Don't go past the size of dvb_v5_attr_names
authorMauro Carvalho Chehab <m.chehab@samsung.com>
Sun, 31 Aug 2014 23:57:51 +0000 (20:57 -0300)
committerMauro Carvalho Chehab <m.chehab@samsung.com>
Sun, 31 Aug 2014 23:58:52 +0000 (20:58 -0300)
As reported by Coverity:

4. cond_between: Checking cmd < 256 implies that cmd has the value which is between 0 and 255 (inclusive) on the true branch.
469        if (cmd >= 0 && cmd < DTV_USER_COMMAND_START)

CID 1054610 (#1 of 1): Out-of-bounds read (OVERRUN)5. overrun-local: Overrunning array dvb_v5_attr_names of 70 8-byte elements at element index 255 (byte offset 2040) using index cmd (which evaluates to 255).
470                return dvb_v5_attr_names[cmd];
471        else if (cmd >= 0 && cmd <= DTV_MAX_STAT_COMMAND)
472                return dvb_user_attr_names[cmd - DTV_USER_COMMAND_START];
473        return NULL;

This wouldn't be a problem if the function was just internal,
but this is part of the public functions.

Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
lib/libdvbv5/dvb-fe.c

index 0edd240..238bde6 100644 (file)
@@ -466,9 +466,9 @@ const char *dvb_cmd_name(int cmd)
 
 const char *const *dvb_attr_names(int cmd)
 {
-       if (cmd >= 0 && cmd < DTV_USER_COMMAND_START)
+       if (cmd >= 0 && cmd < ARRAY_SIZE(dvb_v5_attr_names))
                return dvb_v5_attr_names[cmd];
-       else if (cmd >= 0 && cmd <= DTV_MAX_STAT_COMMAND)
+       else if (cmd >= DTV_USER_COMMAND_START && cmd <= DTV_MAX_STAT_COMMAND)
                return dvb_user_attr_names[cmd - DTV_USER_COMMAND_START];
        return NULL;
 }