[media] r820t: avoid potential memcpy buffer overflow in shadow_store()

The memcpy in shadow_store() could exceed buffer limits when r > 0.

Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
index 63062a9b4003071e0cf9fe5df7d7b8fedd5e0117..0a5f96be08f1d6b1df1996f758826509f1897215 100644 (file)
--- a/drivers/media/tuners/r820t.c
+++ b/drivers/media/tuners/r820t.c
@@ -364,8 +364,8 @@ static void shadow_store(struct r820t_priv *priv, u8 reg, const u8 *val,
        }
        if (len <= 0)
                return;
-       if (len > NUM_REGS)
-               len = NUM_REGS;
+       if (len > NUM_REGS - r)
+               len = NUM_REGS - r;
 
        tuner_dbg("%s: prev  reg=%02x len=%d: %*ph\n",
                  __func__, r + REG_SHADOW_START, len, len, val);