From patchwork Fri Jan 7 19:41:54 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 5491 Return-path: Envelope-to: mchehab@pedra Delivery-date: Sun, 09 Jan 2011 17:10:00 -0200 Received: from mchehab by pedra with local (Exim 4.72) (envelope-from ) id 1Pc0eO-0001fC-Hn for mchehab@pedra; Sun, 09 Jan 2011 17:10:00 -0200 Received: from casper.infradead.org [85.118.1.10] by pedra with IMAP (fetchmail-6.3.17) for (single-drop); Sun, 09 Jan 2011 17:10:00 -0200 (BRST) Received: from vger.kernel.org ([209.132.180.67]) by casper.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1PbICu-0004jt-4M; Fri, 07 Jan 2011 19:42:40 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754214Ab1AGTmh (ORCPT + 1 other); Fri, 7 Jan 2011 14:42:37 -0500 Received: from mail-ww0-f44.google.com ([74.125.82.44]:33852 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752862Ab1AGTmg (ORCPT ); Fri, 7 Jan 2011 14:42:36 -0500 Received: by wwa36 with SMTP id 36so18827316wwa.1 for ; Fri, 07 Jan 2011 11:42:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=by0mcq6OmIPG1X7gCta5JtWvfaovbZJlKpXmBcb0LzE=; b=c3ReHRNCVJKU63q7eBXlE63yYt7SIcbNyuXKxIeNOIHy4GuHSknADHI56DGaRioVMM 38X2P23sTPZeT+rOa/3rljHHO46wO/hcpkMAMnLXEmyeiZVNbEw6XPuMsnzuddyBb6o0 3D4XbVj33YR34/1uU9DJ+oA6AZ4wwzOYvHjnk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=er7e40YWDgUZ/CnFA7+f9Q/jGkku6qCTgXBQ2V3sOF5s6u35PRzkc/OghnfZCubS9T 13NXEgvSOtD86FzDf/wV5xzayTrTxmSs1/o3ELc7uQdsSHIhXiYwLuQxXCI63Ch8meRX dlUaKZh79/QDOMpzoDH9WgXfmVzdatxYRKFr8= Received: by 10.227.154.213 with SMTP id p21mr15882446wbw.41.1294429354365; Fri, 07 Jan 2011 11:42:34 -0800 (PST) Received: from bicker ([41.202.225.145]) by mx.google.com with ESMTPS id f52sm12617328wes.11.2011.01.07.11.42.30 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 07 Jan 2011 11:42:33 -0800 (PST) Date: Fri, 7 Jan 2011 22:41:54 +0300 From: Dan Carpenter To: linux-media@vger.kernel.org Cc: Andreas Oberritter , Mauro Carvalho Chehab , kernel-janitors@vger.kernel.org Subject: [patch v3] [media] av7110: check for negative array offset Message-ID: <20110107194153.GA1959@bicker> References: <20110106194059.GC1717@bicker> <4D270A9F.7080104@linuxtv.org> <20110107134651.GH1717@bicker> <201101072001.20850@orion.escape-edv.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <201101072001.20850@orion.escape-edv.de> User-Agent: Mutt/1.5.20 (2009-06-14) Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Sender: info->num comes from the user. It's type int. If the user passes in a negative value that would cause memory corruption. Signed-off-by: Dan Carpenter --- V2: change the check instead of making num and unsigned int V3: white space changes -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c index 122c728..923a8e2 100644 --- a/drivers/media/dvb/ttpci/av7110_ca.c +++ b/drivers/media/dvb/ttpci/av7110_ca.c @@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) { ca_slot_info_t *info=(ca_slot_info_t *)parg; - if (info->num > 1) + if (info->num < 0 || info->num > 1) return -EINVAL; av7110->ci_slot[info->num].num = info->num; av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?