diff options
| author | Eric Sesterhenn <snakebyte@gmx.de> | 2006-06-06 10:20:08 -0400 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@infradead.org> | 2006-06-25 01:05:05 -0400 |
| commit | 845f16abad37e2a255ac1c167375f6588502f93f (patch) | |
| tree | 2715019d91f4d0f7e309b36ffdb64de223ddf327 | |
| parent | 5e87efa3b29c105f81fea785babafb098e4e046d (diff) | |
V4L/DVB (4070): Zoran strncpy() fix
The zoran driver uses strncpy() in an unsafe way. This patch uses the proper
sizeof()-1 size parameter. Since all strncpy() targets are initialised with
memset() the trailing '\0' is already set. Where std->name was the target for
the strncpy() we overwrote 8 Bytes of the std structure with zeros.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
| -rw-r--r-- | drivers/media/video/zoran_driver.c | 26 | ||||
| -rw-r--r-- | include/linux/videodev2.h | 2 |
2 files changed, 15 insertions, 13 deletions
diff --git a/drivers/media/video/zoran_driver.c b/drivers/media/video/zoran_driver.c index fd05a7fc492..9711f6248ef 100644 --- a/drivers/media/video/zoran_driver.c +++ b/drivers/media/video/zoran_driver.c | |||
| @@ -2048,7 +2048,7 @@ zoran_do_ioctl (struct inode *inode, | |||
| 2048 | dprintk(3, KERN_DEBUG "%s: VIDIOCGCAP\n", ZR_DEVNAME(zr)); | 2048 | dprintk(3, KERN_DEBUG "%s: VIDIOCGCAP\n", ZR_DEVNAME(zr)); |
| 2049 | 2049 | ||
| 2050 | memset(vcap, 0, sizeof(struct video_capability)); | 2050 | memset(vcap, 0, sizeof(struct video_capability)); |
| 2051 | strncpy(vcap->name, ZR_DEVNAME(zr), sizeof(vcap->name)); | 2051 | strncpy(vcap->name, ZR_DEVNAME(zr), sizeof(vcap->name)-1); |
| 2052 | vcap->type = ZORAN_VID_TYPE; | 2052 | vcap->type = ZORAN_VID_TYPE; |
| 2053 | 2053 | ||
| 2054 | vcap->channels = zr->card.inputs; | 2054 | vcap->channels = zr->card.inputs; |
| @@ -2690,8 +2690,8 @@ zoran_do_ioctl (struct inode *inode, | |||
| 2690 | dprintk(3, KERN_DEBUG "%s: VIDIOC_QUERYCAP\n", ZR_DEVNAME(zr)); | 2690 | dprintk(3, KERN_DEBUG "%s: VIDIOC_QUERYCAP\n", ZR_DEVNAME(zr)); |
| 2691 | 2691 | ||
| 2692 | memset(cap, 0, sizeof(*cap)); | 2692 | memset(cap, 0, sizeof(*cap)); |
| 2693 | strncpy(cap->card, ZR_DEVNAME(zr), sizeof(cap->card)); | 2693 | strncpy(cap->card, ZR_DEVNAME(zr), sizeof(cap->card)-1); |
| 2694 | strncpy(cap->driver, "zoran", sizeof(cap->driver)); | 2694 | strncpy(cap->driver, "zoran", sizeof(cap->driver)-1); |
| 2695 | snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s", | 2695 | snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s", |
| 2696 | pci_name(zr->pci_dev)); | 2696 | pci_name(zr->pci_dev)); |
| 2697 | cap->version = | 2697 | cap->version = |
| @@ -2743,7 +2743,7 @@ zoran_do_ioctl (struct inode *inode, | |||
| 2743 | memset(fmt, 0, sizeof(*fmt)); | 2743 | memset(fmt, 0, sizeof(*fmt)); |
| 2744 | fmt->index = index; | 2744 | fmt->index = index; |
| 2745 | fmt->type = type; | 2745 | fmt->type = type; |
| 2746 | strncpy(fmt->description, zoran_formats[i].name, 31); | 2746 | strncpy(fmt->description, zoran_formats[i].name, sizeof(fmt->description)-1); |
| 2747 | fmt->pixelformat = zoran_formats[i].fourcc; | 2747 | fmt->pixelformat = zoran_formats[i].fourcc; |
| 2748 | if (zoran_formats[i].flags & ZORAN_FORMAT_COMPRESSED) | 2748 | if (zoran_formats[i].flags & ZORAN_FORMAT_COMPRESSED) |
| 2749 | fmt->flags |= V4L2_FMT_FLAG_COMPRESSED; | 2749 | fmt->flags |= V4L2_FMT_FLAG_COMPRESSED; |
| @@ -3567,16 +3567,16 @@ zoran_do_ioctl (struct inode *inode, | |||
| 3567 | 3567 | ||
| 3568 | switch (ctrl->id) { | 3568 | switch (ctrl->id) { |
| 3569 | case V4L2_CID_BRIGHTNESS: | 3569 | case V4L2_CID_BRIGHTNESS: |
| 3570 | strncpy(ctrl->name, "Brightness", 31); | 3570 | strncpy(ctrl->name, "Brightness", sizeof(ctrl->name)-1); |
| 3571 | break; | 3571 | break; |
| 3572 | case V4L2_CID_CONTRAST: | 3572 | case V4L2_CID_CONTRAST: |
| 3573 | strncpy(ctrl->name, "Contrast", 31); | 3573 | strncpy(ctrl->name, "Contrast", sizeof(ctrl->name)-1); |
| 3574 | break; | 3574 | break; |
| 3575 | case V4L2_CID_SATURATION: | 3575 | case V4L2_CID_SATURATION: |
| 3576 | strncpy(ctrl->name, "Saturation", 31); | 3576 | strncpy(ctrl->name, "Saturation", sizeof(ctrl->name)-1); |
| 3577 | break; | 3577 | break; |
| 3578 | case V4L2_CID_HUE: | 3578 | case V4L2_CID_HUE: |
| 3579 | strncpy(ctrl->name, "Hue", 31); | 3579 | strncpy(ctrl->name, "Hue", sizeof(ctrl->name)-1); |
| 3580 | break; | 3580 | break; |
| 3581 | } | 3581 | } |
| 3582 | 3582 | ||
| @@ -3694,7 +3694,7 @@ zoran_do_ioctl (struct inode *inode, | |||
| 3694 | &caps); | 3694 | &caps); |
| 3695 | if (caps.flags & VIDEO_DECODER_AUTO) { | 3695 | if (caps.flags & VIDEO_DECODER_AUTO) { |
| 3696 | std->id = V4L2_STD_ALL; | 3696 | std->id = V4L2_STD_ALL; |
| 3697 | strncpy(std->name, "Autodetect", 31); | 3697 | strncpy(std->name, "Autodetect", sizeof(std->name)-1); |
| 3698 | return 0; | 3698 | return 0; |
| 3699 | } else | 3699 | } else |
| 3700 | return -EINVAL; | 3700 | return -EINVAL; |
| @@ -3702,21 +3702,21 @@ zoran_do_ioctl (struct inode *inode, | |||
| 3702 | switch (std->index) { | 3702 | switch (std->index) { |
| 3703 | case 0: | 3703 | case 0: |
| 3704 | std->id = V4L2_STD_PAL; | 3704 | std->id = V4L2_STD_PAL; |
| 3705 | strncpy(std->name, "PAL", 31); | 3705 | strncpy(std->name, "PAL", sizeof(std->name)-1); |
| 3706 | std->frameperiod.numerator = 1; | 3706 | std->frameperiod.numerator = 1; |
| 3707 | std->frameperiod.denominator = 25; | 3707 | std->frameperiod.denominator = 25; |
| 3708 | std->framelines = zr->card.tvn[0]->Ht; | 3708 | std->framelines = zr->card.tvn[0]->Ht; |
| 3709 | break; | 3709 | break; |
| 3710 | case 1: | 3710 | case 1: |
| 3711 | std->id = V4L2_STD_NTSC; | 3711 | std->id = V4L2_STD_NTSC; |
| 3712 | strncpy(std->name, "NTSC", 31); | 3712 | strncpy(std->name, "NTSC", sizeof(std->name)-1); |
| 3713 | std->frameperiod.numerator = 1001; | 3713 | std->frameperiod.numerator = 1001; |
| 3714 | std->frameperiod.denominator = 30000; | 3714 | std->frameperiod.denominator = 30000; |
| 3715 | std->framelines = zr->card.tvn[1]->Ht; | 3715 | std->framelines = zr->card.tvn[1]->Ht; |
| 3716 | break; | 3716 | break; |
| 3717 | case 2: | 3717 | case 2: |
| 3718 | std->id = V4L2_STD_SECAM; | 3718 | std->id = V4L2_STD_SECAM; |
| 3719 | strncpy(std->name, "SECAM", 31); | 3719 | strncpy(std->name, "SECAM", sizeof(std->name)-1); |
| 3720 | std->frameperiod.numerator = 1; | 3720 | std->frameperiod.numerator = 1; |
| 3721 | std->frameperiod.denominator = 25; | 3721 | std->frameperiod.denominator = 25; |
| 3722 | std->framelines = zr->card.tvn[2]->Ht; | 3722 | std->framelines = zr->card.tvn[2]->Ht; |
| @@ -3872,7 +3872,7 @@ zoran_do_ioctl (struct inode *inode, | |||
| 3872 | memset(outp, 0, sizeof(*outp)); | 3872 | memset(outp, 0, sizeof(*outp)); |
| 3873 | outp->index = 0; | 3873 | outp->index = 0; |
| 3874 | outp->type = V4L2_OUTPUT_TYPE_ANALOGVGAOVERLAY; | 3874 | outp->type = V4L2_OUTPUT_TYPE_ANALOGVGAOVERLAY; |
| 3875 | strncpy(outp->name, "Autodetect", 31); | 3875 | strncpy(outp->name, "Autodetect", sizeof(outp->name)-1); |
| 3876 | 3876 | ||
| 3877 | return 0; | 3877 | return 0; |
| 3878 | } | 3878 | } |
diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h index 795831d9f4d..bc957d83a12 100644 --- a/include/linux/videodev2.h +++ b/include/linux/videodev2.h | |||
| @@ -14,7 +14,9 @@ | |||
| 14 | */ | 14 | */ |
| 15 | #ifndef __LINUX_VIDEODEV2_H | 15 | #ifndef __LINUX_VIDEODEV2_H |
| 16 | #define __LINUX_VIDEODEV2_H | 16 | #define __LINUX_VIDEODEV2_H |
| 17 | #ifdef __KERNEL__ | ||
| 17 | #include <linux/time.h> /* need struct timeval */ | 18 | #include <linux/time.h> /* need struct timeval */ |
| 19 | #endif | ||
| 18 | #include <linux/types.h> | 20 | #include <linux/types.h> |
| 19 | #include <linux/compiler.h> /* need __user */ | 21 | #include <linux/compiler.h> /* need __user */ |
| 20 | 22 | ||