[PATCH] dvb: Fix integer overflow bug
authorJohannes Stezenbach <js@linuxtv.org>
Wed, 9 Nov 2005 05:35:25 +0000 (21:35 -0800)
committerLinus Torvalds <torvalds@g5.osdl.org>
Wed, 9 Nov 2005 15:56:03 +0000 (07:56 -0800)
Fix integer overflow bug in read_signal_strength() reported by Anthony
Leclerc.

Signed-off-by: Johannes Stezenbach <js@linuxtv.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/media/dvb/frontends/or51132.c
drivers/media/dvb/frontends/or51211.c

index fc74c40d64777a500ae7748fde5e06bfdb11a7bd..78bded861d02bb8d2c0c807bbbb9277f52cc8466 100644 (file)
@@ -468,6 +468,7 @@ static int or51132_read_signal_strength(struct dvb_frontend* fe, u16* strength)
        unsigned char snd_buf[2];
        u8 rcvr_stat;
        u16 snr_equ;
+       u32 signal_strength;
        int usK;
 
        snd_buf[0]=0x04;
@@ -503,7 +504,11 @@ static int or51132_read_signal_strength(struct dvb_frontend* fe, u16* strength)
        usK = (rcvr_stat & 0x10) ? 3 : 0;
 
         /* The value reported back from the frontend will be FFFF=100% 0000=0% */
-       *strength = (((8952 - i20Log10(snr_equ) - usK*100)/3+5)*65535)/1000;
+       signal_strength = (((8952 - i20Log10(snr_equ) - usK*100)/3+5)*65535)/1000;
+       if (signal_strength > 0xffff)
+               *strength = 0xffff;
+       else
+               *strength = signal_strength;
        dprintk("read_signal_strength %i\n",*strength);
 
        return 0;
index 8a9db23dd1b705578bffa9467e47990e06ee5a9d..531f76246e5f71bdd226632f4f908a5d8fcc60ec 100644 (file)
@@ -339,6 +339,7 @@ static int or51211_read_signal_strength(struct dvb_frontend* fe, u16* strength)
        u8 rec_buf[2];
        u8 snd_buf[4];
        u8 snr_equ;
+       u32 signal_strength;
 
        /* SNR after Equalizer */
        snd_buf[0] = 0x04;
@@ -358,8 +359,11 @@ static int or51211_read_signal_strength(struct dvb_frontend* fe, u16* strength)
        snr_equ = rec_buf[0] & 0xff;
 
        /* The value reported back from the frontend will be FFFF=100% 0000=0% */
-       *strength = (((5334 - i20Log10(snr_equ))/3+5)*65535)/1000;
-
+       signal_strength = (((5334 - i20Log10(snr_equ))/3+5)*65535)/1000;
+       if (signal_strength > 0xffff)
+               *strength = 0xffff;
+       else
+               *strength = signal_strength;
        dprintk("read_signal_strength %i\n",*strength);
 
        return 0;