summaryrefslogtreecommitdiff
path: root/drivers/media
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2014-09-09 09:11:23 -0300
committerMauro Carvalho Chehab <mchehab@osg.samsung.com>2014-09-23 16:13:39 -0300
commit7ac95cf59d59473e680937319594ce0719497e98 (patch)
treeb7cb5b002d0e71aacb17868f228d880cf8d5a2cb /drivers/media
parentcf3b576d52c1f0a204f0c8bdecc22a338f7ca5a4 (diff)
[media] firewire: firedtv-avc: fix more potential buffer overflow
"program_info_length" is user controlled and can go up to 4095. The operand[] array has 509 bytes so we need to add a limit here to prevent buffer overflows. The " - 4" in the limit check is because we have 4 bytes more data to add after the memcpy(). [mchehab@osg.samsung.com: as I merged the version 1 of the patch, I needed to rebase to apply just the differences between v1 and v2] Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Diffstat (limited to 'drivers/media')
-rw-r--r--drivers/media/firewire/firedtv-avc.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index ac17567f0822..251a556112a9 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1157,7 +1157,7 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device,
"invalid pmt_cmd_id %d\n", pmt_cmd_id);
- if (program_info_length > sizeof(c->operand) - write_pos) {
+ if (program_info_length > sizeof(c->operand) - 4 - write_pos) {
ret = -EINVAL;
goto out;
}
@@ -1184,7 +1184,8 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id);
- if (es_info_length > sizeof(c->operand) - write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 -
+ write_pos) {
ret = -EINVAL;
goto out;
}