From 04accf23bf8f6e3fbcfbc0ff4a8430edd6832d76 Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <m.chehab@samsung.com>
Date: Sun, 31 Aug 2014 20:57:51 -0300
Subject: [PATCH] libdvbv5: Don't go past the size of dvb_v5_attr_names

As reported by Coverity:

4. cond_between: Checking cmd < 256 implies that cmd has the value which is between 0 and 255 (inclusive) on the true branch.
469        if (cmd >= 0 && cmd < DTV_USER_COMMAND_START)

CID 1054610 (#1 of 1): Out-of-bounds read (OVERRUN)5. overrun-local: Overrunning array dvb_v5_attr_names of 70 8-byte elements at element index 255 (byte offset 2040) using index cmd (which evaluates to 255).
470                return dvb_v5_attr_names[cmd];
471        else if (cmd >= 0 && cmd <= DTV_MAX_STAT_COMMAND)
472                return dvb_user_attr_names[cmd - DTV_USER_COMMAND_START];
473        return NULL;

This wouldn't be a problem if the function was just internal,
but this is part of the public functions.

Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
---
 lib/libdvbv5/dvb-fe.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/libdvbv5/dvb-fe.c b/lib/libdvbv5/dvb-fe.c
index 0edd240..238bde6 100644
--- a/lib/libdvbv5/dvb-fe.c
+++ b/lib/libdvbv5/dvb-fe.c
@@ -466,9 +466,9 @@ const char *dvb_cmd_name(int cmd)
 
 const char *const *dvb_attr_names(int cmd)
 {
-	if (cmd >= 0 && cmd < DTV_USER_COMMAND_START)
+	if (cmd >= 0 && cmd < ARRAY_SIZE(dvb_v5_attr_names))
 		return dvb_v5_attr_names[cmd];
-	else if (cmd >= 0 && cmd <= DTV_MAX_STAT_COMMAND)
+	else if (cmd >= DTV_USER_COMMAND_START && cmd <= DTV_MAX_STAT_COMMAND)
 		return dvb_user_attr_names[cmd - DTV_USER_COMMAND_START];
 	return NULL;
 }
-- 
2.7.4