I was doing some work trying to figure out the format for the firmware
fed into tuner-xc2028.c, and caused a panic when I gave it some
malformed input.
The size field can be some obscenely large number which causes an
integer wraparound when comparing it to the end pointer (p + size <
endp test passes when size is large enough to wrap around).
The attached patch against the trunk just tweaks the math for the
calculation to avoid the wraparound bug.
Could somebody please provide any information regarding the format of
the expected firmware file? I have been playing around with
v4l_experimental/xc3028/convert.c as well as
v4l2-apps/util/xc3028-firmware/firmware-tool.c and it's not clear what
is the expected input. Better yet, if somebody could point me to a
sample firmware file that works, I'm sure I can work backwards from
there (in my case I'm trying to get the HVR-950 working).
On a sidenote, is v4l/xc3028.c actually used for anything? I spent
some time digging around in the firmware loading code there before I
realized that the actual code being used was in tuner-xc2028.c. If it
is dead code, can it be dropped from the repository?
Thanks,
--
Devin J. Heitmueller
http://www.devinheitmueller.com
AIM: devinheitmueller
diff -r 2fab53c4a74f linux/drivers/media/video/tuner-xc2028.c
--- a/linux/drivers/media/video/tuner-xc2028.c Sat Dec 08 10:34:37 2007 -0200
+++ b/linux/drivers/media/video/tuner-xc2028.c Sun Dec 09 22:11:08 2007 -0500
@@ -347,7 +347,7 @@ static int load_all_firmwares(struct dvb
size = le32_to_cpu(*(__u32 *) p);
p += sizeof(size);
- if ((!size) || (size + p > endp)) {
+ if ((!size) || (size > endp - p)) {
tuner_err("Firmware type ");
dump_firm_type(type);
printk("(%x), id %llx is corrupted "
_______________________________________________
linux-dvb mailing list
linux-dvb@xxxxxxxxxxx
http://www.linuxtv.org/cgi-bin/mailman/listinfo/linux-dvb
