From: Dan Carpenter <dan.carpenter@oracle.com>
To: linux-media@vger.kernel.org
Subject: [bug report] ttusb-dec: read overflow in ttusb_dec_process_pva()
Date: Thu, 28 Jan 2016 17:41:38 +0300 [thread overview]
Message-ID: <20160128144138.GA31320@mwanda> (raw)
Hi linux media devs,
I am getting the following static checker warning:
drivers/media/usb/ttusb-dec/ttusb_dec.c:474 ttusb_dec_process_pva()
error: __memcpy() '&pva[8]' too small (6140 vs 6144)
drivers/media/usb/ttusb-dec/ttusb_dec.c
419 static void ttusb_dec_process_pva(struct ttusb_dec *dec, u8 *pva, int length)
420 {
421 if (length < 8) {
422 printk("%s: packet too short - discarding\n", __func__);
423 return;
424 }
425
426 if (length > 8 + MAX_PVA_LENGTH) {
length is capped here.
427 printk("%s: packet too long - discarding\n", __func__);
428 return;
429 }
430
431 switch (pva[2]) {
432
433 case 0x01: { /* VideoStream */
434 int prebytes = pva[5] & 0x03;
435 int postbytes = (pva[5] & 0x0c) >> 2;
436 __be16 v_pes_payload_length;
437
438 if (output_pva) {
439 dec->video_filter->feed->cb.ts(pva, length, NULL, 0,
440 &dec->video_filter->feed->feed.ts);
441 return;
442 }
443
444 if (dec->v_pes_postbytes > 0 &&
445 dec->v_pes_postbytes == prebytes) {
446 memcpy(&dec->v_pes[dec->v_pes_length],
447 &pva[12], prebytes);
448
449 dvb_filter_pes2ts(&dec->v_pes2ts, dec->v_pes,
450 dec->v_pes_length + prebytes, 1);
451 }
452
453 if (pva[5] & 0x10) {
454 dec->v_pes[7] = 0x80;
455 dec->v_pes[8] = 0x05;
456
457 dec->v_pes[9] = 0x21 | ((pva[8] & 0xc0) >> 5);
458 dec->v_pes[10] = ((pva[8] & 0x3f) << 2) |
459 ((pva[9] & 0xc0) >> 6);
460 dec->v_pes[11] = 0x01 |
461 ((pva[9] & 0x3f) << 2) |
462 ((pva[10] & 0x80) >> 6);
463 dec->v_pes[12] = ((pva[10] & 0x7f) << 1) |
464 ((pva[11] & 0xc0) >> 7);
465 dec->v_pes[13] = 0x01 | ((pva[11] & 0x7f) << 1);
466
467 memcpy(&dec->v_pes[14], &pva[12 + prebytes],
468 length - 12 - prebytes);
469 dec->v_pes_length = 14 + length - 12 - prebytes;
470 } else {
471 dec->v_pes[7] = 0x00;
472 dec->v_pes[8] = 0x00;
473
474 memcpy(&dec->v_pes[9], &pva[8], length - 8);
The problem is that pva[] comes from (struct ttusb_dec)->packet which
has MAX_PVA_LENGTH + 4 bytes and not + 8 bytes. I am not sure how to
fix this.
475 dec->v_pes_length = 9 + length - 8;
476 }
477
regards,
dan carpenter
reply other threads:[~2016-01-28 14:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160128144138.GA31320@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox