Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3011e5e5 authored by Dan Carpenter's avatar Dan Carpenter Committed by Mauro Carvalho Chehab
Browse files

[media] firewire: firedtv-avc: potential buffer overflow 



"program_info_length" is user controlled and can go up to 4095.  The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
parent f2e323ec

drivers/media/firewire/firedtv-avc.c

+9 −0
Original line number Diff line number Diff line
@@ -1157,6 +1157,10 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) 
		if (pmt_cmd_id != 1 && pmt_cmd_id != 4)

			dev_err(fdtv->device,

				"invalid pmt_cmd_id %d\n", pmt_cmd_id);

		if (program_info_length > sizeof(c->operand) - write_pos) {

			ret = -EINVAL;

			goto out;

		}



		memcpy(&c->operand[write_pos], &msg[read_pos],

		       program_info_length);
@@ -1180,6 +1184,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) 
				dev_err(fdtv->device, "invalid pmt_cmd_id %d "

					"at stream level\n", pmt_cmd_id);



			if (es_info_length > sizeof(c->operand) - write_pos) {

				ret = -EINVAL;

				goto out;

			}



			memcpy(&c->operand[write_pos], &msg[read_pos],

			       es_info_length);

			read_pos += es_info_length;