From: Daniel Scheller Date: Sun, 9 Jul 2017 19:42:45 +0000 (-0400) Subject: media: ddbridge: fix buffer overflow in max_set_input_unlocked() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=b9a92f62c555a37e5676f695e94616a261f9403e;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git media: ddbridge: fix buffer overflow in max_set_input_unlocked() Picked up code parts introduced one smatch error: drivers/media/pci/ddbridge/ddbridge-maxs8.c:163 max_set_input_unlocked() error: buffer overflow 'dev->link[port->lnr].lnb.voltage' 4 <= 255 Fix this by clamping the .lnb.voltage array access to 0-3 by "& 3"'ing dvb->input. Cc: Ralph Metzler Signed-off-by: Daniel Scheller Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/pci/ddbridge/ddbridge-maxs8.c b/drivers/media/pci/ddbridge/ddbridge-maxs8.c index a9dc5f9754da..10716ee8cf59 100644 --- a/drivers/media/pci/ddbridge/ddbridge-maxs8.c +++ b/drivers/media/pci/ddbridge/ddbridge-maxs8.c @@ -187,11 +187,12 @@ static int max_set_input_unlocked(struct dvb_frontend *fe, int in) return -EINVAL; if (dvb->input != in) { u32 bit = (1ULL << input->nr); - u32 obit = dev->link[port->lnr].lnb.voltage[dvb->input] & bit; + u32 obit = + dev->link[port->lnr].lnb.voltage[dvb->input & 3] & bit; - dev->link[port->lnr].lnb.voltage[dvb->input] &= ~bit; + dev->link[port->lnr].lnb.voltage[dvb->input & 3] &= ~bit; dvb->input = in; - dev->link[port->lnr].lnb.voltage[dvb->input] |= obit; + dev->link[port->lnr].lnb.voltage[dvb->input & 3] |= obit; } res = dvb->set_input(fe, in); return res;