mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-17 01:34:00 +08:00
[media] firewire: firedtv-avc: potential buffer overflow
"program_info_length" is user controlled and can go up to 4095. The operand[] array has 509 bytes so we need to add a limit here to prevent buffer overflows. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
This commit is contained in:
parent
f2e323ec96
commit
3011e5e592
@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
|
||||
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
|
||||
dev_err(fdtv->device,
|
||||
"invalid pmt_cmd_id %d\n", pmt_cmd_id);
|
||||
if (program_info_length > sizeof(c->operand) - write_pos) {
|
||||
ret = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
memcpy(&c->operand[write_pos], &msg[read_pos],
|
||||
program_info_length);
|
||||
@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
|
||||
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
|
||||
"at stream level\n", pmt_cmd_id);
|
||||
|
||||
if (es_info_length > sizeof(c->operand) - write_pos) {
|
||||
ret = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
memcpy(&c->operand[write_pos], &msg[read_pos],
|
||||
es_info_length);
|
||||
read_pos += es_info_length;
|
||||
|
Loading…
Reference in New Issue
Block a user