projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5a9ff85)
[media] pms: Fix a bad usage of the stack
authorMauro Carvalho Chehab <mchehab@osg.samsung.com>
Wed, 24 Sep 2014 18:35:55 +0000 (15:35 -0300)
committerMauro Carvalho Chehab <mchehab@osg.samsung.com>
Fri, 26 Sep 2014 09:47:55 +0000 (06:47 -0300)
As warned by smatch:
drivers/media/parport/pms.c:632:21: warning: Variable length array is used.

The pms driver is doing something really bad: it is using the
stack to read data into a buffer whose size is given by the
user by the read() syscall. Replace it by a dynamically allocated
buffer.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
drivers/media/parport/pms.c patch | blob | blame | history

diff --git a/drivers/media/parport/pms.c b/drivers/media/parport/pms.c
index 9bc105b3db1bcec5dbb775f591188d7ec34e1adf..e6b497528ceaca5dcc671ad7a92d080936a2a316 100644 (file)
--- a/drivers/media/parport/pms.c
+++ b/drivers/media/parport/pms.c
@@ -629,11 +629,15 @@ static int pms_capture(struct pms *dev, char __user *buf, int rgb555, int count)
 {
        int y;
        int dw = 2 * dev->width;
-       char tmp[dw + 32]; /* using a temp buffer is faster than direct  */
+       char *tmp; /* using a temp buffer is faster than direct  */
        int cnt = 0;
        int len = 0;
        unsigned char r8 = 0x5;  /* value for reg8  */
 
+       tmp = kmalloc(dw + 32, GFP_KERNEL);
+       if (!tmp)
+               return 0;
+
        if (rgb555)
                r8 |= 0x20; /* else use untranslated rgb = 565 */
        mvv_write(dev, 0x08, r8); /* capture rgb555/565, init DRAM, PC enable */
@@ -664,6 +668,7 @@ static int pms_capture(struct pms *dev, char __user *buf, int rgb555, int count)
                        len += dt;
                }
        }
+       kfree(tmp);
        return len;
 }