V4L/DVB: tm6000: Don't copy outside the buffer

tm6000 tm6000_irq_callback :urb resubmit failed (error=-1)
BUG: unable to handle kernel paging request at 000000000100f700
IP: [<ffffffffa007ee79>] tm6000_irq_callback+0x51e/0xac7 [tm6000]

(gdb) list * tm6000_irq_callback+0x51e
0x2e79 is in tm6000_irq_callback (drivers/staging/tm6000/tm6000-video.c:363).
358                                             dev->isoc_ctl.tmp_buf_len--;
359                                     }
360                                     if (dev->isoc_ctl.tmp_buf_len) {
361                                             memcpy (&header,p,
362                                                     dev->isoc_ctl.tmp_buf_l$
363                                             memcpy (((u8 *)header)+
364                                                     dev->isoc_ctl.tmp_buf,
365                                                     ptr,
366                                                     4-dev->isoc_ctl.tmp_buf$
367                                             ptr+=4-dev->isoc_ctl.tmp_buf_le$

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
This commit is contained in:
Mauro Carvalho Chehab 2010-05-02 17:14:33 -03:00
parent f4b727b3ae
commit 801dd3b32d

View File

@ -360,13 +360,13 @@ static int copy_streams(u8 *data, u8 *out_p, unsigned long len,
dev->isoc_ctl.tmp_buf_len--;
}
if (dev->isoc_ctl.tmp_buf_len) {
memcpy (&header,p,
memcpy(&header, p,
dev->isoc_ctl.tmp_buf_len);
memcpy (((u8 *)header)+
dev->isoc_ctl.tmp_buf,
memcpy((u8 *)&header +
dev->isoc_ctl.tmp_buf_len,
ptr,
4-dev->isoc_ctl.tmp_buf_len);
ptr+=4-dev->isoc_ctl.tmp_buf_len;
4 - dev->isoc_ctl.tmp_buf_len);
ptr += 4 - dev->isoc_ctl.tmp_buf_len;
goto HEADER;
}
}