From: Dan Carpenter Date: Tue, 18 Oct 2011 05:12:09 +0000 (-0300) Subject: [media] av7110: wrong limiter in av7110_start_feed() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9369cc96af2d5e093ed7f0ac9671f4b30d30af86;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [media] av7110: wrong limiter in av7110_start_feed() Smatch complains that the wrong limiter is used here: drivers/media/dvb/ttpci/av7110.c +906 dvb_feed_start_pid(12) error: buffer overflow 'npids' 5 <= 19 Here is the problem code: 905 i = dvbdmxfeed->pes_type; 906 npids[i] = (pid[i]&0x8000) ? 0 : pid[i]; "npids" is a 5 element array declared on the stack. If dvbdmxfeed->pes_type is more than 4 we probably put a (u16)0 past the end of the array. If dvbdmxfeed->pes_type is over 4 the rest of the function doesn't do anything. dvbdmxfeed->pes_type is capped at less than DMX_TS_PES_OTHER (20) in the caller function, but I changed it to less than or equal to DMX_TS_PES_PCR (4). Signed-off-by: Dan Carpenter Acked-by: Oliver Endriss Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/dvb/ttpci/av7110.c b/drivers/media/dvb/ttpci/av7110.c index 3d20719fce1a..abf6b55cf6d5 100644 --- a/drivers/media/dvb/ttpci/av7110.c +++ b/drivers/media/dvb/ttpci/av7110.c @@ -991,7 +991,7 @@ static int av7110_start_feed(struct dvb_demux_feed *feed) if (feed->type == DMX_TYPE_TS) { if ((feed->ts_type & TS_DECODER) && - (feed->pes_type < DMX_TS_PES_OTHER)) { + (feed->pes_type <= DMX_TS_PES_PCR)) { switch (demux->dmx.frontend->source) { case DMX_MEMORY_FE: if (feed->ts_type & TS_DECODER)