From: Dan Carpenter <dan.carpenter@oracle.com>
To: linux-media@vger.kernel.org
Subject: [bug report] ttusb-dec: read overflow in ttusb_dec_process_pva()
Date: Thu, 28 Jan 2016 17:41:38 +0300 [thread overview]
Message-ID: <20160128144138.GA31320@mwanda> (raw)
Hi linux media devs,
I am getting the following static checker warning:
drivers/media/usb/ttusb-dec/ttusb_dec.c:474 ttusb_dec_process_pva()
error: __memcpy() '&pva[8]' too small (6140 vs 6144)
drivers/media/usb/ttusb-dec/ttusb_dec.c
419 static void ttusb_dec_process_pva(struct ttusb_dec *dec, u8 *pva, int length)
420 {
421 if (length < 8) {
422 printk("%s: packet too short - discarding\n", __func__);
423 return;
424 }
425
426 if (length > 8 + MAX_PVA_LENGTH) {
length is capped here.
427 printk("%s: packet too long - discarding\n", __func__);
428 return;
429 }
430
431 switch (pva[2]) {
432
433 case 0x01: { /* VideoStream */
434 int prebytes = pva[5] & 0x03;
435 int postbytes = (pva[5] & 0x0c) >> 2;
436 __be16 v_pes_payload_length;
437
438 if (output_pva) {
439 dec->video_filter->feed->cb.ts(pva, length, NULL, 0,
440 &dec->video_filter->feed->feed.ts);
441 return;
442 }
443
444 if (dec->v_pes_postbytes > 0 &&
445 dec->v_pes_postbytes == prebytes) {
446 memcpy(&dec->v_pes[dec->v_pes_length],
447 &pva[12], prebytes);
448
449 dvb_filter_pes2ts(&dec->v_pes2ts, dec->v_pes,
450 dec->v_pes_length + prebytes, 1);
451 }
452
453 if (pva[5] & 0x10) {
454 dec->v_pes[7] = 0x80;
455 dec->v_pes[8] = 0x05;
456
457 dec->v_pes[9] = 0x21 | ((pva[8] & 0xc0) >> 5);
458 dec->v_pes[10] = ((pva[8] & 0x3f) << 2) |
459 ((pva[9] & 0xc0) >> 6);
460 dec->v_pes[11] = 0x01 |
461 ((pva[9] & 0x3f) << 2) |
462 ((pva[10] & 0x80) >> 6);
463 dec->v_pes[12] = ((pva[10] & 0x7f) << 1) |
464 ((pva[11] & 0xc0) >> 7);
465 dec->v_pes[13] = 0x01 | ((pva[11] & 0x7f) << 1);
466
467 memcpy(&dec->v_pes[14], &pva[12 + prebytes],
468 length - 12 - prebytes);
469 dec->v_pes_length = 14 + length - 12 - prebytes;
470 } else {
471 dec->v_pes[7] = 0x00;
472 dec->v_pes[8] = 0x00;
473
474 memcpy(&dec->v_pes[9], &pva[8], length - 8);
The problem is that pva[] comes from (struct ttusb_dec)->packet which
has MAX_PVA_LENGTH + 4 bytes and not + 8 bytes. I am not sure how to
fix this.
475 dec->v_pes_length = 9 + length - 8;
476 }
477
regards,
dan carpenter
reply other threads:[~2016-01-28 14:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160128144138.GA31320@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.