The memcpy in shadow_store() could exceed buffer limits when r > 0.
Signed-off-by: Gianluca Gennari <gennarone@xxxxxxxxx>
---
drivers/media/tuners/r820t.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
index d8fd16a..2d6d498 100644
--- a/drivers/media/tuners/r820t.c
+++ b/drivers/media/tuners/r820t.c
@@ -364,8 +364,8 @@ static void shadow_store(struct r820t_priv *priv, u8 reg, const u8 *val,
}
if (len <= 0)
return;
- if (len > NUM_REGS)
- len = NUM_REGS;
+ if (len > NUM_REGS - r)
+ len = NUM_REGS - r;
tuner_dbg("%s: prev reg=%02x len=%d: %*ph\n",
__func__, r + REG_SHADOW_START, len, len, val);
--
1.8.2.2
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
