From 64e01cbd9d3e22e38eadeff9e0d251d0d7d1c9d2 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Wed, 24 Sep 2014 15:35:55 -0300 Subject: [media] pms: Fix a bad usage of the stack As warned by smatch: drivers/media/parport/pms.c:632:21: warning: Variable length array is used. The pms driver is doing something really bad: it is using the stack to read data into a buffer whose size is given by the user by the read() syscall. Replace it by a dynamically allocated buffer. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/parport/pms.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/media/parport/pms.c b/drivers/media/parport/pms.c index 9bc105b3db1b..e6b497528cea 100644 --- a/drivers/media/parport/pms.c +++ b/drivers/media/parport/pms.c @@ -629,11 +629,15 @@ static int pms_capture(struct pms *dev, char __user *buf, int rgb555, int count) { int y; int dw = 2 * dev->width; - char tmp[dw + 32]; /* using a temp buffer is faster than direct */ + char *tmp; /* using a temp buffer is faster than direct */ int cnt = 0; int len = 0; unsigned char r8 = 0x5; /* value for reg8 */ + tmp = kmalloc(dw + 32, GFP_KERNEL); + if (!tmp) + return 0; + if (rgb555) r8 |= 0x20; /* else use untranslated rgb = 565 */ mvv_write(dev, 0x08, r8); /* capture rgb555/565, init DRAM, PC enable */ @@ -664,6 +668,7 @@ static int pms_capture(struct pms *dev, char __user *buf, int rgb555, int count) len += dt; } } + kfree(tmp); return len; } -- cgit v1.2.3