gspca pac7302/pac7311: fix buffer overrun
Commit Message
From: Márton Németh <nm127@freemail.hu>
The reg_w_seq() function expects the sequence length in entries
and not in bytes. One entry in init_7302 and init_7311 is two
bytes and not one.
Signed-off-by: Márton Németh <nm127@freemail.hu>
---
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Comments
On Wed, 04 Nov 2009 23:38:42 +0100
Németh Márton <nm127@freemail.hu> wrote:
> The reg_w_seq() function expects the sequence length in entries
> and not in bytes. One entry in init_7302 and init_7311 is two
> bytes and not one.
>
> Signed-off-by: Márton Németh <nm127@freemail.hu>
> ---
> diff -upr a/drivers/media/video/gspca/pac7302.c
> b/drivers/media/video/gspca/pac7302.c
[snip]
Hello Németh,
Thank you for the patch! The bug did exist for a long time, and nobody
found it yet.
I have just a remark: some of your patches have a diff starting with
'a/drivers/..'. They should start with 'a/linux/drivers/..' (as done by
'hg export').
Best regards.
@@ -592,7 +592,7 @@ static void sethvflip(struct gspca_dev *
/* this function is called at probe and resume time for pac7302 */
static int sd_init(struct gspca_dev *gspca_dev)
{
- reg_w_seq(gspca_dev, init_7302, sizeof init_7302);
+ reg_w_seq(gspca_dev, init_7302, sizeof(init_7302)/2);
return 0;
}
@@ -490,7 +490,7 @@ static void sethvflip(struct gspca_dev *
/* this function is called at probe and resume time for pac7311 */
static int sd_init(struct gspca_dev *gspca_dev)
{
- reg_w_seq(gspca_dev, init_7311, sizeof init_7311);
+ reg_w_seq(gspca_dev, init_7311, sizeof(init_7311)/2);
return 0;
}