gspca pac7302/pac7311: fix buffer overrun

Message ID	4AF20272.7040104@freemail.hu (mailing list archive)
State	Superseded, archived
Headers	Envelope-to: mchehab@infradead.org Delivery-date: Wed, 04 Nov 2009 22:38:50 +0000 Message-ID: <4AF20272.7040104@freemail.hu> Date: Wed, 04 Nov 2009 23:38:42 +0100 From: =?ISO-8859-2?Q?N=E9meth_M=E1rton?= <nm127@freemail.hu> User-Agent: Mozilla/5.0 (X11; U; Linux i686; hu-HU; rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16 MIME-Version: 1.0 To: Jean-Francois Moine <moinejf@free.fr>, V4L Mailing List <linux-media@vger.kernel.org> Subject: [PATCH] gspca pac7302/pac7311: fix buffer overrun Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit X-DCC-mail.t-online.hu-Metrics: mail02a.mail.t-online.hu 32721; Body=2 Fuz1=2 Fuz2=2 Sender: linux-media-owner@vger.kernel.org Precedence: bulk

Message ID

4AF20272.7040104@freemail.hu (mailing list archive)

State

Superseded, archived

Headers

Envelope-to: mchehab@infradead.org
Delivery-date: Wed, 04 Nov 2009 22:38:50 +0000
Message-ID: <4AF20272.7040104@freemail.hu>
Date: Wed, 04 Nov 2009 23:38:42 +0100
From: =?ISO-8859-2?Q?N=E9meth_M=E1rton?= <nm127@freemail.hu>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; hu-HU;
	rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16
MIME-Version: 1.0
To: Jean-Francois Moine <moinejf@free.fr>,
	V4L Mailing List <linux-media@vger.kernel.org>
Subject: [PATCH] gspca pac7302/pac7311: fix buffer overrun
Content-Type: text/plain; charset=ISO-8859-2
Content-Transfer-Encoding: 8bit
X-DCC-mail.t-online.hu-Metrics: mail02a.mail.t-online.hu 32721; Body=2 Fuz1=2
	Fuz2=2
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org

Commit Message

Németh Márton Nov. 4, 2009, 10:38 p.m. UTC

  From: Márton Németh <nm127@freemail.hu>

The reg_w_seq() function expects the sequence length in entries
and not in bytes. One entry in init_7302 and init_7311 is two
bytes and not one.

Signed-off-by: Márton Németh <nm127@freemail.hu>
---
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Jean-Francois Moine Nov. 5, 2009, 11:19 a.m. UTC | #1

On Wed, 04 Nov 2009 23:38:42 +0100
Németh Márton <nm127@freemail.hu> wrote:

> The reg_w_seq() function expects the sequence length in entries
> and not in bytes. One entry in init_7302 and init_7311 is two
> bytes and not one.
> 
> Signed-off-by: Márton Németh <nm127@freemail.hu>
> ---
> diff -upr a/drivers/media/video/gspca/pac7302.c
> b/drivers/media/video/gspca/pac7302.c
	[snip]

Hello Németh,

Thank you for the patch! The bug did exist for a long time, and nobody
found it yet.

I have just a remark: some of your patches have a diff starting with
'a/drivers/..'. They should start with 'a/linux/drivers/..' (as done by
'hg export').

Best regards.

diff mbox

Patch

diff -upr a/drivers/media/video/gspca/pac7302.c b/drivers/media/video/gspca/pac7302.c
--- a/drivers/media/video/gspca/pac7302.c	2009-11-05 00:31:36.000000000 +0100
+++ b/drivers/media/video/gspca/pac7302.c	2009-11-05 00:32:50.000000000 +0100
@@ -592,7 +592,7 @@  static void sethvflip(struct gspca_dev *
 /* this function is called at probe and resume time for pac7302 */
 static int sd_init(struct gspca_dev *gspca_dev)
 {
-	reg_w_seq(gspca_dev, init_7302, sizeof init_7302);
+	reg_w_seq(gspca_dev, init_7302, sizeof(init_7302)/2);

 	return 0;
 }
diff -upr a/drivers/media/video/gspca/pac7311.c b/drivers/media/video/gspca/pac7311.c
--- a/drivers/media/video/gspca/pac7311.c	2009-11-04 23:28:31.000000000 +0100
+++ b/drivers/media/video/gspca/pac7311.c	2009-11-05 00:33:08.000000000 +0100
@@ -490,7 +490,7 @@  static void sethvflip(struct gspca_dev *
 /* this function is called at probe and resume time for pac7311 */
 static int sd_init(struct gspca_dev *gspca_dev)
 {
-	reg_w_seq(gspca_dev, init_7311, sizeof init_7311);
+	reg_w_seq(gspca_dev, init_7311, sizeof(init_7311)/2);

 	return 0;
 }