[media] firewire: firedtv-avc: fix more potential buffer overflow (7ac95cf5) · Commits · e / devices / android_kernel_fairphone_FP3

"program_info_length" is user controlled and can go up to 4095. The operand[] array has 509 bytes so we need to add a limit here to prevent buffer overflows. The " - 4" in the limit check is because we have 4 bytes more data to add after the memcpy(). [mchehab@osg.samsung.com: as I merged the version 1 of the patch, I needed to rebase to apply just the differences between v1 and v2] Signed-off-by:

Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:

Mauro Carvalho Chehab <mchehab@osg.samsung.com>

drivers/media/firewire/firedtv-avc.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -1157,7 +1157,7 @@ int avc_ca_pmt(struct firedtv fdtv, char msg, int length)
		if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
		dev_err(fdtv->device,
		"invalid pmt_cmd_id %d\n", pmt_cmd_id);
		if (program_info_length > sizeof(c->operand) - write_pos) {
		if (program_info_length > sizeof(c->operand) - 4 - write_pos) {
		ret = -EINVAL;
		goto out;
		}
		@@ -1184,7 +1184,8 @@ int avc_ca_pmt(struct firedtv fdtv, char msg, int length)
		dev_err(fdtv->device, "invalid pmt_cmd_id %d "
		"at stream level\n", pmt_cmd_id);

		if (es_info_length > sizeof(c->operand) - write_pos) {
		if (es_info_length > sizeof(c->operand) - 4 -
		write_pos) {
		ret = -EINVAL;
		goto out;
		}