redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity

[media] firewire: firedtv-avc: potential buffer overflow

Browse source 
"program_info_length" is user controlled and can go up to 4095.  The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
This commit is contained in:
Dan Carpenter 2014-09-08 08:18:43 -03:00 committed by Mauro Carvalho Chehab
parent f2e323ec96
commit 3011e5e592
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
drivers/media/firewire/firedtv-avc.c
View file

@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device,
"invalid pmt_cmd_id %d\n", pmt_cmd_id);
if (program_info_length > sizeof(c->operand) - write_pos) {
ret = -EINVAL;
goto out;
}
memcpy(&c->operand[write_pos], &msg[read_pos],
program_info_length);
@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id);
if (es_info_length > sizeof(c->operand) - write_pos) {
ret = -EINVAL;
goto out;
}
memcpy(&c->operand[write_pos], &msg[read_pos],
es_info_length);
read_pos += es_info_length;