[bug report] ttusb-dec: read overflow in ttusb_dec_process_pva()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi linux media devs,

I am getting the following static checker warning:

	drivers/media/usb/ttusb-dec/ttusb_dec.c:474 ttusb_dec_process_pva()
	error: __memcpy() '&pva[8]' too small (6140 vs 6144)

drivers/media/usb/ttusb-dec/ttusb_dec.c
   419  static void ttusb_dec_process_pva(struct ttusb_dec *dec, u8 *pva, int length)
   420  {
   421          if (length < 8) {
   422                  printk("%s: packet too short - discarding\n", __func__);
   423                  return;
   424          }
   425  
   426          if (length > 8 + MAX_PVA_LENGTH) {

length is capped here.

   427                  printk("%s: packet too long - discarding\n", __func__);
   428                  return;
   429          }
   430  
   431          switch (pva[2]) {
   432  
   433          case 0x01: {            /* VideoStream */
   434                  int prebytes = pva[5] & 0x03;
   435                  int postbytes = (pva[5] & 0x0c) >> 2;
   436                  __be16 v_pes_payload_length;
   437  
   438                  if (output_pva) {
   439                          dec->video_filter->feed->cb.ts(pva, length, NULL, 0,
   440                                  &dec->video_filter->feed->feed.ts);
   441                          return;
   442                  }
   443  
   444                  if (dec->v_pes_postbytes > 0 &&
   445                      dec->v_pes_postbytes == prebytes) {
   446                          memcpy(&dec->v_pes[dec->v_pes_length],
   447                                 &pva[12], prebytes);
   448  
   449                          dvb_filter_pes2ts(&dec->v_pes2ts, dec->v_pes,
   450                                            dec->v_pes_length + prebytes, 1);
   451                  }
   452  
   453                  if (pva[5] & 0x10) {
   454                          dec->v_pes[7] = 0x80;
   455                          dec->v_pes[8] = 0x05;
   456  
   457                          dec->v_pes[9] = 0x21 | ((pva[8] & 0xc0) >> 5);
   458                          dec->v_pes[10] = ((pva[8] & 0x3f) << 2) |
   459                                           ((pva[9] & 0xc0) >> 6);
   460                          dec->v_pes[11] = 0x01 |
   461                                           ((pva[9] & 0x3f) << 2) |
   462                                           ((pva[10] & 0x80) >> 6);
   463                          dec->v_pes[12] = ((pva[10] & 0x7f) << 1) |
   464                                           ((pva[11] & 0xc0) >> 7);
   465                          dec->v_pes[13] = 0x01 | ((pva[11] & 0x7f) << 1);
   466  
   467                          memcpy(&dec->v_pes[14], &pva[12 + prebytes],
   468                                 length - 12 - prebytes);
   469                          dec->v_pes_length = 14 + length - 12 - prebytes;
   470                  } else {
   471                          dec->v_pes[7] = 0x00;
   472                          dec->v_pes[8] = 0x00;
   473  
   474                          memcpy(&dec->v_pes[9], &pva[8], length - 8);

The problem is that pva[] comes from (struct ttusb_dec)->packet which
has MAX_PVA_LENGTH + 4 bytes and not + 8 bytes.  I am not sure how to
fix this.

   475                          dec->v_pes_length = 9 + length - 8;
   476                  }
   477  

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux