diff options
| author | Daniel Scheller <d.scheller@gmx.net> | 2018-05-09 16:08:00 -0400 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2018-05-28 17:43:20 -0400 |
| commit | 525cac75740542e23c31cd0f248f9b29ae4978e9 (patch) | |
| tree | 98a7ba3a1574f98363d98d67ebbc5e8970941656 /README | |
| parent | d7832cd2a3c87eb6ae1e802c88b6fc56c5823f6d (diff) | |
| download | linux-525cac75740542e23c31cd0f248f9b29ae4978e9.tar.bz2 | |
media: ddbridge/mci: protect against out-of-bounds array access in stop()
In stop(), an (unlikely) out-of-bounds write error can occur when setting
the demod_in_use element indexed by state->demod to zero, as state->demod
isn't checked for being in the range of the array size of demod_in_use, and
state->demod maybe carrying the magic 0xff (demod unused) value. Prevent
this by checking state->demod not exceeding the array size before setting
the element value. To make the code a bit easier to read, replace the magic
value and the number of array elements with defines, and use them at a few
more places.
Detected by CoverityScan, CID#1468550 ("Out-of-bounds write")
Thanks to Colin for reporting the problem and providing an initial patch.
Fixes: daeeb1319e6f ("media: ddbridge: initial support for MCI-based MaxSX8 cards")
Reported-by: Colin Ian King <colin.king@canonical.com>
Cc: Ralph Metzler <rjkm@metzlerbros.de>
Signed-off-by: Daniel Scheller <d.scheller@gmx.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'README')
0 files changed, 0 insertions, 0 deletions