media: m88rs6000t: avoid potential out-of-bounds reads on arrays

There a 3 array for-loops that don't check the upper bounds of the
index into arrays and this may lead to potential out-of-bounds
reads.  Fix this by adding array size upper bounds checks to be
full safe.

Addresses-Coverity: ("Out-of-bounds read")

Link: https://lore.kernel.org/linux-media/20201007121628.20676-1-colin.king@canonical.com
Fixes: 333829110f1d ("[media] m88rs6000t: add new dvb-s/s2 tuner for integrated chip M88RS6000")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

diff --git a/drivers/media/tuners/m88rs6000t.c b/drivers/media/tuners/m88rs6000t.c
index b3505f4..8647c50 100644 (file)
--- a/drivers/media/tuners/m88rs6000t.c
+++ b/drivers/media/tuners/m88rs6000t.c
@@ -525,7 +525,7 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
        PGA2_cri = PGA2_GC >> 2;
        PGA2_crf = PGA2_GC & 0x03;
 
-       for (i = 0; i <= RF_GC; i++)
+       for (i = 0; i <= RF_GC && i < ARRAY_SIZE(RFGS); i++)
                RFG += RFGS[i];
 
        if (RF_GC == 0)
@@ -537,12 +537,12 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
        if (RF_GC == 3)
                RFG += 100;
 
-       for (i = 0; i <= IF_GC; i++)
+       for (i = 0; i <= IF_GC && i < ARRAY_SIZE(IFGS); i++)
                IFG += IFGS[i];
 
        TIAG = TIA_GC * TIA_GS;
 
-       for (i = 0; i <= BB_GC; i++)
+       for (i = 0; i <= BB_GC && i < ARRAY_SIZE(BBGS); i++)
                BBG += BBGS[i];
 
        PGA2G = PGA2_cri * PGA2_cri_GS + PGA2_crf * PGA2_crf_GS;