V4L/DVB (8192): Try to fix a reg_w() bug
authorHans de Goede <j.w.r.degoede@hhs.nl>
Thu, 3 Jul 2008 11:15:22 +0000 (08:15 -0300)
committerMauro Carvalho Chehab <mchehab@infradead.org>
Sun, 20 Jul 2008 10:16:35 +0000 (07:16 -0300)
Signed-off-by: Hans de Goede <j.w.r.degoede@hhs.nl>
Signed-off-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
drivers/media/video/gspca/sonixb.c

index 80911a21e4ae75fd0a97731b4617058a339e5298..7850efa41096280135010abc2824e01077caf715 100644 (file)
@@ -24,8 +24,8 @@
 
 #include "gspca.h"
 
-#define DRIVER_VERSION_NUMBER  KERNEL_VERSION(2, 1, 0)
-static const char version[] = "2.1.0";
+#define DRIVER_VERSION_NUMBER  KERNEL_VERSION(2, 1, 3)
+static const char version[] = "2.1.3";
 
 MODULE_AUTHOR("Michel Xhaard <mxhaard@users.sourceforge.net>");
 MODULE_DESCRIPTION("GSPCA/SN9C102 USB Camera Driver");
@@ -336,13 +336,22 @@ static void reg_w(struct usb_device *dev,
                          const __u8 *buffer,
                          __u16 len)
 {
+       __u8 tmpbuf[32];
+
+#ifdef CONFIG_VIDEO_ADV_DEBUG
+       if (len > sizeof tmpbuf) {
+               PDEBUG(D_ERR|D_PACK, "reg_w: buffer overflow");
+               return;
+       }
+#endif
+       memcpy(tmpbuf, buffer, len);
        usb_control_msg(dev,
                        usb_sndctrlpipe(dev, 0),
                        0x08,                   /* request */
                        USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
                        value,
                        0,                      /* index */
-                       (__u8 *) buffer, len,
+                       tmpbuf, len,
                        500);
 }
 
@@ -747,22 +756,20 @@ static void sd_pkt_scan(struct gspca_dev *gspca_dev,
                        unsigned char *data,            /* isoc packet */
                        int len)                        /* iso packet length */
 {
-       int p;
+       int i;
 
        if (len > 6 && len < 24) {
-               for (p = 0; p < len - 6; p++) {
-                       if (data[0 + p] == 0xff
-                           && data[1 + p] == 0xff
-                           && data[2 + p] == 0x00
-                           && data[3 + p] == 0xc4
-                           && data[4 + p] == 0xc4
-                           && data[5 + p] == 0x96) {   /* start of frame */
-                               frame = gspca_frame_add(gspca_dev,
-                                                       LAST_PACKET,
-                                                       frame,
-                                                       data, 0);
-                               data += 12;
-                               len -= 12;
+               for (i = 0; i < len - 6; i++) {
+                       if (data[0 + i] == 0xff
+                           && data[1 + i] == 0xff
+                           && data[2 + i] == 0x00
+                           && data[3 + i] == 0xc4
+                           && data[4 + i] == 0xc4
+                           && data[5 + i] == 0x96) {   /* start of frame */
+                               frame = gspca_frame_add(gspca_dev, LAST_PACKET,
+                                                       frame, data, 0);
+                               data += i + 12;
+                               len -= i + 12;
                                gspca_frame_add(gspca_dev, FIRST_PACKET,
                                                frame, data, len);
                                return;