On Sep 08 Dan Carpenter wrote:
> "program_info_length" is user controlled and can go up to 4095. The
> operand[] array has 509 bytes so we need to add a limit here to prevent
> buffer overflows.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>
Thank you.
>
> diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
> index d1a1a13..ac17567 100644
> --- a/drivers/media/firewire/firedtv-avc.c
> +++ b/drivers/media/firewire/firedtv-avc.c
> @@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
> if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
> dev_err(fdtv->device,
> "invalid pmt_cmd_id %d\n", pmt_cmd_id);
> + if (program_info_length > sizeof(c->operand) - write_pos) {
> + ret = -EINVAL;
> + goto out;
> + }
>
> memcpy(&c->operand[write_pos], &msg[read_pos],
> program_info_length);
> @@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
> dev_err(fdtv->device, "invalid pmt_cmd_id %d "
> "at stream level\n", pmt_cmd_id);
>
> + if (es_info_length > sizeof(c->operand) - write_pos) {
> + ret = -EINVAL;
> + goto out;
> + }
> +
> memcpy(&c->operand[write_pos], &msg[read_pos],
> es_info_length);
> read_pos += es_info_length;
--
Stefan Richter
-=====-====- =--= -=---
http://arcgraph.de/sr/
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
