summaryrefslogtreecommitdiffstats
path: root/drivers/media
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2013-02-07 08:24:49 +0100
committerMauro Carvalho Chehab <mchehab@redhat.com>2013-02-08 20:29:52 +0100
commitbf5bbed15c41228ea1abbb8d3931050922bfc37f (patch)
tree84e9db5c9d1e57a42ccbcb7ffaaefb8d0ee1f025 /drivers/media
parent[media] s5p-tv: Include missing platform_device.h header (diff)
downloadlinux-bf5bbed15c41228ea1abbb8d3931050922bfc37f.tar.xz
linux-bf5bbed15c41228ea1abbb8d3931050922bfc37f.zip
[media] dvb-usb: check for invalid length in ttusb_process_muxpack()
This patch is driven by a static checker warning. The ttusb_process_muxpack() function is only called from ttusb_process_frame(). Before calling, it verifies that len >= 2. The problem is that len == 2 is not valid and would lead to an array underflow. Odd number values for len are also invalid and would lead to reading past the end of the array. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media')
-rw-r--r--drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
index 5b682cc4c814..e40718552850 100644
--- a/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
+++ b/drivers/media/usb/ttusb-budget/dvb-ttusb-budget.c
@@ -561,6 +561,13 @@ static void ttusb_process_muxpack(struct ttusb *ttusb, const u8 * muxpack,
{
u16 csum = 0, cc;
int i;
+
+ if (len < 4 || len & 0x1) {
+ pr_warn("%s: muxpack has invalid len %d\n", __func__, len);
+ numinvalid++;
+ return;
+ }
+
for (i = 0; i < len; i += 2)
csum ^= le16_to_cpup((__le16 *) (muxpack + i));
if (csum) {