2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-07 13:13:57 +08:00
linux-next/drivers/media/usb
Mauro Carvalho Chehab 845b978a87 media: rtl28xxu: be sure that it won't go past the array size
smatch warns that the RC query code could go past the array size:

	drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1757 rtl2832u_rc_query() error: buffer overflow 'buf' 128 <= 130
	drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1758 rtl2832u_rc_query() error: buffer overflow 'buf' 128 <= 130

The driver logic gets the length of the IR RX buffer with:

        ret = rtl28xxu_rd_reg(d, IR_RX_BC, &buf[0]);
	...
        len = buf[0];

In thesis, this could range between 0 and 255 [1].

While this should never happen in practice, due to hardware limits,
smatch is right when it complains about that, as there's nothing at
the logic that would prevent it. So, if for whatever reason, buf[0]
gets filled by rtl28xx read functions with a value bigger than 128,
it will go past the array.

So, add an explicit check.

[1] I've no idea why smatch thinks that the maximum value is 130.
I double-checked the code several times. Was unable to find any
reason for assuming 130. Perhaps smatch is not properly parsing
u8 here?

Fixes: b5cbaa43a6 ("[media] rtl28xx: initial support for rtl2832u")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-08-08 10:57:14 -04:00
..
airspy media: usb: make video_device const 2017-08-27 08:45:32 -04:00
as102 media: fix usage of whitespaces and on indentation 2018-01-04 13:12:01 -05:00
au0828 media: au0828: fix spelling mistake: "completition" -> "completion" 2018-08-03 16:09:58 -04:00
b2c2 media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
cpia2 treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
cx231xx media: cx231xx: fix spelling mistake: "completition" -> "completion" 2018-08-03 16:09:41 -04:00
dvb-usb media: dvb-usb: fix spelling mistake: "completition" -> "completion" 2018-08-03 16:08:55 -04:00
dvb-usb-v2 media: rtl28xxu: be sure that it won't go past the array size 2018-08-08 10:57:14 -04:00
em28xx media: usb: em28xx: Replace mdelay() with msleep() in em28xx_pre_card_setup() 2018-08-02 19:15:53 -04:00
go7007 media: go7007: use irqsave() in USB's complete callback 2018-08-02 13:50:14 -04:00
gspca media: gspca_kinect: cast sizeof to int for comparison 2018-07-25 08:35:12 -04:00
hackrf media: usb: hackrf: Replace GFP_ATOMIC with GFP_KERNEL 2018-08-02 19:16:17 -04:00
hdpvr media: hdpvr: don't check number of messages in the driver 2018-07-27 06:39:57 -04:00
msi2500 media: usb: fix spelling mistake: "synchronuously" -> "synchronously" 2017-11-07 03:47:09 -05:00
pulse8-cec media: pulse8-cec: print time using time64_t 2017-12-08 11:08:22 -05:00
pvrusb2 treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
pwc media: replace all <spaces><tab> occurrences 2018-01-04 13:15:05 -05:00
rainshadow-cec media: usb: rainshadow-cec: constify serio_device_id 2017-08-20 08:27:29 -04:00
s2255 media: s2255drv: fix a casting warning 2018-03-23 06:56:55 -04:00
siano media: siano: use GFP_DMA only for smssdio 2018-05-15 08:04:42 -04:00
stk1160 media: stk1160: Set the vb2_queue lock before calling vb2_queue_init 2018-07-04 08:03:43 -04:00
stkwebcam treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
tm6000 media: tm6000: don't check number of messages in the driver 2018-07-27 06:39:57 -04:00
ttusb-budget media updates for v4.16-rc1 2018-02-06 11:27:48 -08:00
ttusb-dec media: dvb: represent min/max/step/tolerance freqs in Hz 2018-08-02 18:10:48 -04:00
usbtv media: usbtv: use irqsave() in USB's complete callback 2018-08-02 14:17:15 -04:00
usbvision treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
uvc media: uvcvideo: Send a control event when a Control Change interrupt arrives 2018-07-27 06:39:57 -04:00
zr364xx docs: Fix some broken references 2018-06-15 18:10:01 -03:00
Kconfig [media] rainshadow-cec: new RainShadow Tech HDMI CEC driver 2017-04-10 12:42:10 -03:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00