korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-27 22:24:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
faa4364bef
linux/drivers/media/usb
History
Dan Carpenter faa4364bef media: stk1160: fix bounds checking in stk1160_copy_video() 
The subtract in this condition is reversed.  The ->length is the length
of the buffer.  The ->bytesused is how many bytes we have copied thus
far.  When the condition is reversed that means the result of the
subtraction is always negative but since it's unsigned then the result
is a very high positive value.  That means the overflow check is never
true.

Additionally, the ->bytesused doesn't actually work for this purpose
because we're not writing to "buf->mem + buf->bytesused".  Instead, the
math to calculate the destination where we are writing is a bit
involved.  You calculate the number of full lines already written,
multiply by two, skip a line if necessary so that we start on an odd
numbered line, and add the offset into the line.

To fix this buffer overflow, just take the actual destination where we
are writing, if the offset is already out of bounds print an error and
return.  Otherwise, write up to buf->length bytes.

Fixes: 9cb2173e6e ("[media] media: Add stk1160 new driver (easycap replacement)")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-04-24 13:49:56 +02:00
..
airspy media: usb: airspy: Stop direct calls to queue num_buffers field 2023-11-23 12:35:58 +01:00
as102 media: usb: as102: drop as102_dev NULL check 2023-06-09 16:07:30 +01:00
au0828 media: mc: Make media_get_pad_index() use pad type flag 2023-05-25 16:21:22 +02:00
b2c2 media: flexcop-usb: use usb_endpoint_maxp() 2022-09-26 10:59:25 +02:00
cx231xx media: cx231xx: controls are from another device, mark this 2024-02-05 12:57:44 +01:00
dvb-usb media: dvb-usb: dib0700_devices: Add missing release_firmware() 2024-04-15 13:42:38 +02:00
dvb-usb-v2 media: anysee: accept read buffers of length 1 in anysee_master_xfer 2024-04-08 13:48:18 +02:00
em28xx media: em28xx: annotate unchecked call to media_device_register() 2024-02-05 12:57:44 +01:00
go7007 media: go7007: fix a memleak in go7007_load_encoder 2024-02-28 16:00:33 +01:00
gspca media: videobuf2: core: Rename min_buffers_needed field in vb2_queue 2023-12-13 17:31:27 +01:00
hackrf media: usb: hackrf: Stop direct calls to queue num_buffers field 2023-11-23 12:36:42 +01:00
hdpvr media: hdpvr: fix error value returns in hdpvr_read 2022-06-27 09:02:50 +01:00
msi2500 media: usb/msi2500: Follow renaming of SPI "master" to "controller" 2024-02-08 11:54:41 +00:00
pvrusb2 media: pvrusb2: fix uaf in pvr2_context_set_notify 2024-02-28 16:00:33 +01:00
pwc media: usb: pwc-uncompress: Use flex array destination for memcpy() 2022-12-07 17:58:46 +01:00
s2255 media: usb: s2255: Refactor s2255_get_fx2fw 2024-02-28 16:00:32 +01:00
siano media: usb: siano: Fix allocation of urbs 2024-04-16 00:02:53 +02:00
stk1160 media: stk1160: fix bounds checking in stk1160_copy_video() 2024-04-24 13:49:56 +02:00
ttusb-budget media: dvb-ttusb-budget: cleanup printk logic 2020-09-03 11:15:47 +02:00
ttusb-dec media: ttusb-dec: remove unnecessary (void*) conversions 2023-07-19 12:57:47 +02:00
usbtv media: usbtv: Remove useless locks in usbtv_video_free() 2024-03-04 12:58:38 +01:00
uvc media: uvcvideo: Disable autosuspend for Insta360 Link 2024-04-19 13:48:38 +03:00
Kconfig media: tm6000: deprecate this driver 2022-08-29 16:43:00 +02:00
Makefile media: tm6000: deprecate this driver 2022-08-29 16:43:00 +02:00