"program_info_length" is user controlled and can go up to 4095. The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.
The " - 4" in the limit check is because we have 4 bytes more data to
add after the memcpy().
[mchehab@osg.samsung.com: as I merged the version 1 of the patch, I needed
to rebase to apply just the differences between v1 and v2]
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
"program_info_length" is user controlled and can go up to 4095. The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Dan Carpenter