From: Gianluca Gennari Date: Sun, 2 Jun 2013 17:31:19 +0000 (-0300) Subject: [media] r820t: avoid potential memcpy buffer overflow in shadow_store() X-Git-Tag: firefly_0821_release~176^2~3573^2~1667 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=757d7ace565c06e1302ba7c9244d839455e13881;p=firefly-linux-kernel-4.4.55.git [media] r820t: avoid potential memcpy buffer overflow in shadow_store() The memcpy in shadow_store() could exceed buffer limits when r > 0. Signed-off-by: Gianluca Gennari Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c index 63062a9b4003..0a5f96be08f1 100644 --- a/drivers/media/tuners/r820t.c +++ b/drivers/media/tuners/r820t.c @@ -364,8 +364,8 @@ static void shadow_store(struct r820t_priv *priv, u8 reg, const u8 *val, } if (len <= 0) return; - if (len > NUM_REGS) - len = NUM_REGS; + if (len > NUM_REGS - r) + len = NUM_REGS - r; tuner_dbg("%s: prev reg=%02x len=%d: %*ph\n", __func__, r + REG_SHADOW_START, len, len, val);