* [bug report] ttusb-dec: read overflow in ttusb_dec_process_pva()
@ 2016-01-28 14:41 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2016-01-28 14:41 UTC (permalink / raw)
To: linux-media
Hi linux media devs,
I am getting the following static checker warning:
drivers/media/usb/ttusb-dec/ttusb_dec.c:474 ttusb_dec_process_pva()
error: __memcpy() '&pva[8]' too small (6140 vs 6144)
drivers/media/usb/ttusb-dec/ttusb_dec.c
419 static void ttusb_dec_process_pva(struct ttusb_dec *dec, u8 *pva, int length)
420 {
421 if (length < 8) {
422 printk("%s: packet too short - discarding\n", __func__);
423 return;
424 }
425
426 if (length > 8 + MAX_PVA_LENGTH) {
length is capped here.
427 printk("%s: packet too long - discarding\n", __func__);
428 return;
429 }
430
431 switch (pva[2]) {
432
433 case 0x01: { /* VideoStream */
434 int prebytes = pva[5] & 0x03;
435 int postbytes = (pva[5] & 0x0c) >> 2;
436 __be16 v_pes_payload_length;
437
438 if (output_pva) {
439 dec->video_filter->feed->cb.ts(pva, length, NULL, 0,
440 &dec->video_filter->feed->feed.ts);
441 return;
442 }
443
444 if (dec->v_pes_postbytes > 0 &&
445 dec->v_pes_postbytes == prebytes) {
446 memcpy(&dec->v_pes[dec->v_pes_length],
447 &pva[12], prebytes);
448
449 dvb_filter_pes2ts(&dec->v_pes2ts, dec->v_pes,
450 dec->v_pes_length + prebytes, 1);
451 }
452
453 if (pva[5] & 0x10) {
454 dec->v_pes[7] = 0x80;
455 dec->v_pes[8] = 0x05;
456
457 dec->v_pes[9] = 0x21 | ((pva[8] & 0xc0) >> 5);
458 dec->v_pes[10] = ((pva[8] & 0x3f) << 2) |
459 ((pva[9] & 0xc0) >> 6);
460 dec->v_pes[11] = 0x01 |
461 ((pva[9] & 0x3f) << 2) |
462 ((pva[10] & 0x80) >> 6);
463 dec->v_pes[12] = ((pva[10] & 0x7f) << 1) |
464 ((pva[11] & 0xc0) >> 7);
465 dec->v_pes[13] = 0x01 | ((pva[11] & 0x7f) << 1);
466
467 memcpy(&dec->v_pes[14], &pva[12 + prebytes],
468 length - 12 - prebytes);
469 dec->v_pes_length = 14 + length - 12 - prebytes;
470 } else {
471 dec->v_pes[7] = 0x00;
472 dec->v_pes[8] = 0x00;
473
474 memcpy(&dec->v_pes[9], &pva[8], length - 8);
The problem is that pva[] comes from (struct ttusb_dec)->packet which
has MAX_PVA_LENGTH + 4 bytes and not + 8 bytes. I am not sure how to
fix this.
475 dec->v_pes_length = 9 + length - 8;
476 }
477
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-01-28 14:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-28 14:41 [bug report] ttusb-dec: read overflow in ttusb_dec_process_pva() Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).