From f9d7bffd8dd6195f80566f629c95b122237fe371 Mon Sep 17 00:00:00 2001 From: Pengcheng Chen Date: Tue, 23 Jul 2019 10:24:04 +0800 Subject: [PATCH] dv: fix Buffer overflow in amdolby_vision due to string processing [1/1] PD#OTT-5058 Problem: Buffer overflow in amdolby_vision due to string processing Solution: add buffer limited when string buffer accepting commands (namely *parm); Verify: verified on Raven Change-Id: Icd550f331efb2ee46e2f270e516df9942837f93d Signed-off-by: Pengcheng Chen --- drivers/amlogic/media/enhancement/amdolby_vision/amdolby_vision.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/amlogic/media/enhancement/amdolby_vision/amdolby_vision.c b/drivers/amlogic/media/enhancement/amdolby_vision/amdolby_vision.c index c9eeabf..91b19ee 100644 --- a/drivers/amlogic/media/enhancement/amdolby_vision/amdolby_vision.c +++ b/drivers/amlogic/media/enhancement/amdolby_vision/amdolby_vision.c @@ -1078,6 +1078,8 @@ static uint64_t stb_core1_lut[STB_DMA_TBL_SIZE]; static bool tv_mode; static bool mel_mode; + +#define MAX_PARAM 8 bool is_meson_gxm(void) { if (dv_meson_dev.cpu_id == _CPU_MAJOR_ID_GXM) @@ -6958,6 +6960,8 @@ static void parse_param_amdolby_vision(char *buf_orig, char **parm) if (*token == '\0') continue; parm[n++] = token; + if (n >= MAX_PARAM) + break; } } @@ -6978,7 +6982,7 @@ static ssize_t amdolby_vision_debug_store(struct class *cla, struct class_attribute *attr, const char *buf, size_t count) { - char *buf_orig, *parm[8] = {NULL}; + char *buf_orig, *parm[MAX_PARAM] = {NULL}; long val = 0; if (!buf) -- 2.7.4