diff mbox

[3/3] r820t: avoid potential memcpy buffer overflow in shadow_store()

Message ID 1367855077-6134-4-git-send-email-gennarone@gmail.com (mailing list archive)
State Accepted, archived
Delegated to: Michael Krufky
Headers

Commit Message

Gianluca Gennari May 6, 2013, 3:44 p.m. UTC 
  The memcpy in shadow_store() could exceed buffer limits when r > 0. 

Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
---
 drivers/media/tuners/r820t.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox

Patch

diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
index d8fd16a..2d6d498 100644
--- a/drivers/media/tuners/r820t.c
+++ b/drivers/media/tuners/r820t.c
@@ -364,8 +364,8 @@  static void shadow_store(struct r820t_priv *priv, u8 reg, const u8 *val,
 	}
 	if (len <= 0)
 		return;
-	if (len > NUM_REGS)
-		len = NUM_REGS;
+	if (len > NUM_REGS - r)
+		len = NUM_REGS - r;
 
 	tuner_dbg("%s: prev  reg=%02x len=%d: %*ph\n",
 		  __func__, r + REG_SHADOW_START, len, len, val);