summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMauro Carvalho Chehab <mchehab@osg.samsung.com>2014-12-04 17:48:42 +0100
committerMauro Carvalho Chehab <mchehab@osg.samsung.com>2014-12-04 18:28:46 +0100
commitffe300107d931c5cde5383db420b90e856db84ed (patch)
tree20d2209a373f3bffd39ecd8d47f730c8dab486f0
parent[media] stv090x: Remove an unreachable code (diff)
downloadlinux-ffe300107d931c5cde5383db420b90e856db84ed.tar.xz
linux-ffe300107d931c5cde5383db420b90e856db84ed.zip
[media] stv090x: add an extra protetion against buffer overflow
As pointed by smatch: drivers/media/dvb-frontends/stv090x.c:2787 stv090x_optimize_carloop() error: buffer overflow 'car_loop_apsk_low' 11 <= 13 drivers/media/dvb-frontends/stv090x.c:2789 stv090x_optimize_carloop() error: buffer overflow 'car_loop_apsk_low' 11 <= 13 drivers/media/dvb-frontends/stv090x.c:2791 stv090x_optimize_carloop() error: buffer overflow 'car_loop_apsk_low' 11 <= 13 drivers/media/dvb-frontends/stv090x.c:2793 stv090x_optimize_carloop() error: buffer overflow 'car_loop_apsk_low' 11 <= 13 drivers/media/dvb-frontends/stv090x.c:2795 stv090x_optimize_carloop() error: buffer overflow 'car_loop_apsk_low' 11 <= 13 The situation of a buffer overflow won't happen, in practice, with the current values of car_loop table. Yet, the entire logic that checks for those registration values is too complex. So, better to add an explicit check, just in case someone changes the car_loop tables causing a buffer overflow by mistake. This also helps to remove several smatch warnings, with is good. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-rw-r--r--drivers/media/dvb-frontends/stv090x.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/media/dvb-frontends/stv090x.c b/drivers/media/dvb-frontends/stv090x.c
index bce9cc1072aa..0b2a934f53e5 100644
--- a/drivers/media/dvb-frontends/stv090x.c
+++ b/drivers/media/dvb-frontends/stv090x.c
@@ -2783,6 +2783,12 @@ static u8 stv090x_optimize_carloop(struct stv090x_state *state, enum stv090x_mod
aclc = car_loop[i].crl_pilots_off_30;
}
} else { /* 16APSK and 32APSK */
+ /*
+ * This should never happen in practice, except if
+ * something is really wrong at the car_loop table.
+ */
+ if (i >= 11)
+ i = 10;
if (state->srate <= 3000000)
aclc = car_loop_apsk_low[i].crl_pilots_on_2;
else if (state->srate <= 7000000)