Message ID | b5e6ddaf21e8e2c8517b21bfc36ebc09d8f33a20.1430235781.git.mchehab@osg.samsung.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On April 28, 2015 11:43:41 AM EDT, Mauro Carvalho Chehab <mchehab@osg.samsung.com> wrote: >As reported by smatch: > drivers/media/pci/cx18/cx18-driver.c:807 cx18_init_struct2() error: >buffer overflow 'cx->card->video_inputs' 6 <= 6 > >That happens because nof_inputs and nof_audio_inputs can be initialized >as CX18_CARD_MAX_VIDEO_INPUTS, instead of CX18_CARD_MAX_VIDEO_INPUTS - >1. > >Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> > >diff --git a/drivers/media/pci/cx18/cx18-driver.c >b/drivers/media/pci/cx18/cx18-driver.c >index 83f5074706f9..260e462d91b4 100644 >--- a/drivers/media/pci/cx18/cx18-driver.c >+++ b/drivers/media/pci/cx18/cx18-driver.c >@@ -786,11 +786,11 @@ static void cx18_init_struct2(struct cx18 *cx) > { > int i; > >- for (i = 0; i < CX18_CARD_MAX_VIDEO_INPUTS; i++) >+ for (i = 0; i < CX18_CARD_MAX_VIDEO_INPUTS - 1; i++) > if (cx->card->video_inputs[i].video_type == 0) > break; > cx->nof_inputs = i; >- for (i = 0; i < CX18_CARD_MAX_AUDIO_INPUTS; i++) >+ for (i = 0; i < CX18_CARD_MAX_AUDIO_INPUTS - 1; i++) > if (cx->card->audio_inputs[i].audio_type == 0) > break; > cx->nof_audio_inputs = i; Acked-by: Andy Walls <awalls@md.metrocast.net> -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/media/pci/cx18/cx18-driver.c b/drivers/media/pci/cx18/cx18-driver.c index 83f5074706f9..260e462d91b4 100644 --- a/drivers/media/pci/cx18/cx18-driver.c +++ b/drivers/media/pci/cx18/cx18-driver.c @@ -786,11 +786,11 @@ static void cx18_init_struct2(struct cx18 *cx) { int i; - for (i = 0; i < CX18_CARD_MAX_VIDEO_INPUTS; i++) + for (i = 0; i < CX18_CARD_MAX_VIDEO_INPUTS - 1; i++) if (cx->card->video_inputs[i].video_type == 0) break; cx->nof_inputs = i; - for (i = 0; i < CX18_CARD_MAX_AUDIO_INPUTS; i++) + for (i = 0; i < CX18_CARD_MAX_AUDIO_INPUTS - 1; i++) if (cx->card->audio_inputs[i].audio_type == 0) break; cx->nof_audio_inputs = i;
As reported by smatch: drivers/media/pci/cx18/cx18-driver.c:807 cx18_init_struct2() error: buffer overflow 'cx->card->video_inputs' 6 <= 6 That happens because nof_inputs and nof_audio_inputs can be initialized as CX18_CARD_MAX_VIDEO_INPUTS, instead of CX18_CARD_MAX_VIDEO_INPUTS - 1. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>