media: rc: ensure we do not read out of bounds

If rc_validate_filter() is called for CEC or XMP, then we would read
beyond the end of the array.

Suggested-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
index f306e67b8b660957951e2f549b2f0c31035a99e7..7aaf28bcb01e19b1e479f1f54f06e9c7d16b5378 100644 (file)
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -733,7 +733,7 @@ EXPORT_SYMBOL_GPL(rc_keydown_notimeout);
 static int rc_validate_filter(struct rc_dev *dev,
                              struct rc_scancode_filter *filter)
 {
-       static u32 masks[] = {
+       static const u32 masks[] = {
                [RC_TYPE_RC5] = 0x1f7f,
                [RC_TYPE_RC5X_20] = 0x1f7f3f,
                [RC_TYPE_RC5_SZ] = 0x2fff,
@@ -757,6 +757,9 @@ static int rc_validate_filter(struct rc_dev *dev,
        u32 s = filter->data;
        enum rc_type protocol = dev->wakeup_protocol;
 
+       if (protocol >= ARRAY_SIZE(masks))
+               return -EINVAL;
+
        switch (protocol) {
        case RC_TYPE_NECX:
                if ((((s >> 16) ^ ~(s >> 8)) & 0xff) == 0)