Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-14 15:13:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
2bcbeeb297
linux/drivers/media
History
Dan Carpenter faa4364bef media: stk1160: fix bounds checking in stk1160_copy_video() 
The subtract in this condition is reversed.  The ->length is the length
of the buffer.  The ->bytesused is how many bytes we have copied thus
far.  When the condition is reversed that means the result of the
subtraction is always negative but since it's unsigned then the result
is a very high positive value.  That means the overflow check is never
true.

Additionally, the ->bytesused doesn't actually work for this purpose
because we're not writing to "buf->mem + buf->bytesused".  Instead, the
math to calculate the destination where we are writing is a bit
involved.  You calculate the number of full lines already written,
multiply by two, skip a line if necessary so that we start on an odd
numbered line, and add the offset into the line.

To fix this buffer overflow, just take the actual destination where we
are writing, if the offset is already out of bounds print an error and
return.  Otherwise, write up to buf->length bytes.

Fixes: 9cb2173e6e ("[media] media: Add stk1160 new driver (easycap replacement)")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-04-24 13:49:56 +02:00
..
cec media: cec: return -ENODEV instead of -ENXIO if unregistered 2024-04-24 13:49:55 +02:00
common media: videobuf2: improve max_num_buffers sanity checks 2024-04-24 13:49:55 +02:00
dvb-core media: dvbdev: Initialize sbuf 2024-04-08 13:48:19 +02:00
dvb-frontends media: dvb-frontends: drx39xyj: Refactor firmware upload 2024-04-15 13:42:38 +02:00
firewire media: firewire: firedtv-avc.c: replace BUG with proper, error return 2023-08-10 07:58:37 +02:00
i2c media: imx335: Describe CCI struct member 2024-04-22 13:05:51 +02:00
mc media: mc: mark the media devnode as registered from the, start 2024-04-22 11:41:04 +02:00
mmc media: mmc: siano: simplify module initialization 2024-04-08 13:48:19 +02:00
pci media: ttpci: coding style fixes: logging 2024-04-16 00:02:53 +02:00
platform media: ti: j721e-csi2rx: Fix races while restarting DMA 2024-04-22 11:41:04 +02:00
radio media: radio-shark2: Avoid led_names truncations 2024-04-08 13:48:19 +02:00
rc media: imon: Convert sprintf/snprintf to sysfs_emit 2024-03-25 10:13:44 +01:00
spi media: cxd2880: Replaze kmalloc with kzalloc 2024-04-15 13:42:38 +02:00
test-drivers media: v4l2: Add mem2mem helpers for REMOVE_BUFS ioctl 2024-03-25 12:00:44 +01:00
tuners media: tunner: xc5000: Refactor firmware load 2024-04-15 13:42:38 +02:00
usb media: stk1160: fix bounds checking in stk1160_copy_video() 2024-04-24 13:49:56 +02:00
v4l2-core media: v4l2-core: hold videodev_lock until dev reg, finishes 2024-04-24 13:49:55 +02:00
Kconfig media: Kconfig: Make DVB_CORE=m possible when MEDIA_SUPPORT=y 2022-12-07 17:58:46 +01:00
Makefile