Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2168b416 authored by Sean Young's avatar Sean Young Committed by Mauro Carvalho Chehab
Browse files

media: rc: ensure we do not read out of bounds 



If rc_validate_filter() is called for CEC or XMP, then we would read
beyond the end of the array.

Suggested-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: default avatarSean Young <sean@mess.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
parent 86fe1ac0

drivers/media/rc/rc-main.c

+4 −1
Original line number Diff line number Diff line
@@ -733,7 +733,7 @@ EXPORT_SYMBOL_GPL(rc_keydown_notimeout); 
static int rc_validate_filter(struct rc_dev *dev,

			      struct rc_scancode_filter *filter)

{

	static u32 masks[] = {

	static const u32 masks[] = {

		[RC_TYPE_RC5] = 0x1f7f,

		[RC_TYPE_RC5X_20] = 0x1f7f3f,

		[RC_TYPE_RC5_SZ] = 0x2fff,
@@ -757,6 +757,9 @@ static int rc_validate_filter(struct rc_dev *dev, 
	u32 s = filter->data;

	enum rc_type protocol = dev->wakeup_protocol;



	if (protocol >= ARRAY_SIZE(masks))

		return -EINVAL;



	switch (protocol) {

	case RC_TYPE_NECX:

		if ((((s >> 16) ^ ~(s >> 8)) & 0xff) == 0)