On April 28, 2015 11:43:41 AM EDT, Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxx> wrote:
>As reported by smatch:
> drivers/media/pci/cx18/cx18-driver.c:807 cx18_init_struct2() error:
>buffer overflow 'cx->card->video_inputs' 6 <= 6
>
>That happens because nof_inputs and nof_audio_inputs can be initialized
>as CX18_CARD_MAX_VIDEO_INPUTS, instead of CX18_CARD_MAX_VIDEO_INPUTS -
>1.
>
>Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxx>
>
>diff --git a/drivers/media/pci/cx18/cx18-driver.c
>b/drivers/media/pci/cx18/cx18-driver.c
>index 83f5074706f9..260e462d91b4 100644
>--- a/drivers/media/pci/cx18/cx18-driver.c
>+++ b/drivers/media/pci/cx18/cx18-driver.c
>@@ -786,11 +786,11 @@ static void cx18_init_struct2(struct cx18 *cx)
> {
> int i;
>
>- for (i = 0; i < CX18_CARD_MAX_VIDEO_INPUTS; i++)
>+ for (i = 0; i < CX18_CARD_MAX_VIDEO_INPUTS - 1; i++)
> if (cx->card->video_inputs[i].video_type == 0)
> break;
> cx->nof_inputs = i;
>- for (i = 0; i < CX18_CARD_MAX_AUDIO_INPUTS; i++)
>+ for (i = 0; i < CX18_CARD_MAX_AUDIO_INPUTS - 1; i++)
> if (cx->card->audio_inputs[i].audio_type == 0)
> break;
> cx->nof_audio_inputs = i;
Acked-by: Andy Walls <awalls@xxxxxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
