From: Dan Carpenter Date: Tue, 9 Sep 2014 12:11:23 +0000 (-0300) Subject: [media] firewire: firedtv-avc: fix more potential buffer overflow X-Git-Tag: v5.15~16478^2~497 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7ac95cf59d59473e680937319594ce0719497e98;p=platform%2Fkernel%2Flinux-starfive.git [media] firewire: firedtv-avc: fix more potential buffer overflow "program_info_length" is user controlled and can go up to 4095. The operand[] array has 509 bytes so we need to add a limit here to prevent buffer overflows. The " - 4" in the limit check is because we have 4 bytes more data to add after the memcpy(). [mchehab@osg.samsung.com: as I merged the version 1 of the patch, I needed to rebase to apply just the differences between v1 and v2] Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c index ac17567..251a556 100644 --- a/drivers/media/firewire/firedtv-avc.c +++ b/drivers/media/firewire/firedtv-avc.c @@ -1157,7 +1157,7 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) if (pmt_cmd_id != 1 && pmt_cmd_id != 4) dev_err(fdtv->device, "invalid pmt_cmd_id %d\n", pmt_cmd_id); - if (program_info_length > sizeof(c->operand) - write_pos) { + if (program_info_length > sizeof(c->operand) - 4 - write_pos) { ret = -EINVAL; goto out; } @@ -1184,7 +1184,8 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) dev_err(fdtv->device, "invalid pmt_cmd_id %d " "at stream level\n", pmt_cmd_id); - if (es_info_length > sizeof(c->operand) - write_pos) { + if (es_info_length > sizeof(c->operand) - 4 - + write_pos) { ret = -EINVAL; goto out; }