e9hack wrote: > Hi, > > it seems there is a bug in av7110_vbi_write() (av7110_v4l.c). If an user mode application > tries to write more bytes than the size of the structure v4l2_slices_vbi_data, > copy_from_user() will overwrite parts of the kernel stack. No, it cannot happen: | if (FW_VERSION(av7110->arm_app) < 0x2623 || !av7110->wssMode || count != sizeof d) | return -EINVAL; | if (copy_from_user(&d, data, count)) | return -EFAULT; copy_from_user() will only be called if count == sizeof d. CU Oliver -- ---------------------------------------------------------------- VDR Remote Plugin 0.4.0: http://www.escape-edv.de/endriss/vdr/ ---------------------------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
