Google Git
Sign in
kunit / linux / 525cac75740542e23c31cd0f248f9b29ae4978e9
commit525cac75740542e23c31cd0f248f9b29ae4978e9[log] [tgz]
authorDaniel Scheller <d.scheller@gmx.net>Wed May 09 16:08:00 2018 -0400
committerMauro Carvalho Chehab <mchehab+samsung@kernel.org>Mon May 28 17:43:20 2018 -0400
tree98a7ba3a1574f98363d98d67ebbc5e8970941656
parentd7832cd2a3c87eb6ae1e802c88b6fc56c5823f6d [diff]
media: ddbridge/mci: protect against out-of-bounds array access in stop()

In stop(), an (unlikely) out-of-bounds write error can occur when setting
the demod_in_use element indexed by state->demod to zero, as state->demod
isn't checked for being in the range of the array size of demod_in_use, and
state->demod maybe carrying the magic 0xff (demod unused) value. Prevent
this by checking state->demod not exceeding the array size before setting
the element value. To make the code a bit easier to read, replace the magic
value and the number of array elements with defines, and use them at a few
more places.

Detected by CoverityScan, CID#1468550 ("Out-of-bounds write")

Thanks to Colin for reporting the problem and providing an initial patch.

Fixes: daeeb1319e6f ("media: ddbridge: initial support for MCI-based MaxSX8 cards")

Reported-by: Colin Ian King <colin.king@canonical.com>
Cc: Ralph Metzler <rjkm@metzlerbros.de>
Signed-off-by: Daniel Scheller <d.scheller@gmx.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2 files changed
tree: 98a7ba3a1574f98363d98d67ebbc5e8970941656
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .clang-format
  25. .cocciconfig
  26. .get_maintainer.ignore
  27. .gitattributes
  28. .gitignore
  29. .mailmap
  30. COPYING
  31. CREDITS
  32. Kbuild
  33. Kconfig
  34. MAINTAINERS
  35. Makefile
  36. README