diff options
author | Mauro Carvalho Chehab <mchehab@infradead.org> | 2008-04-22 13:42:13 -0400 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@infradead.org> | 2008-04-24 13:07:44 -0400 |
commit | f13613acfb1a71895ac886dc831d6ae4e20e241a (patch) | |
tree | ead5941f87548b9848837dab2d78d364913037de | |
parent | 6a6179b6db401acde5798b4da0fdff32b126ee15 (diff) |
V4L/DVB (7235): tuner-simple: fix a buffer overflow
simple_set_tv() creates a buffer with 4 elements, and calls
simple_std_setup(), passing &buffer[1]. This makes the 5th element of buffer to
be initialized to 0, overriding some area outside the buffer.
Also, simple_std_setup() receives a buffer as parameter, but the buffer is
just overriden after the call, so, it doesn't make much sense to pass it as a
parameter.
This patch removes buffer[] from the function call, creating, instead, a local
var to be used internally.
Thanks to Axel Rometsch <axel.rometsch@freenet.de> for pointing the issue.
Reviewed-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
-rw-r--r-- | drivers/media/video/tuner-simple.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/drivers/media/video/tuner-simple.c b/drivers/media/video/tuner-simple.c index dc2467159ece..ee5ef860700a 100644 --- a/drivers/media/video/tuner-simple.c +++ b/drivers/media/video/tuner-simple.c | |||
@@ -251,7 +251,7 @@ static int simple_config_lookup(struct dvb_frontend *fe, | |||
251 | 251 | ||
252 | static int simple_std_setup(struct dvb_frontend *fe, | 252 | static int simple_std_setup(struct dvb_frontend *fe, |
253 | struct analog_parameters *params, | 253 | struct analog_parameters *params, |
254 | u8 *buffer, u8 *config, u8 *cb) | 254 | u8 *config, u8 *cb) |
255 | { | 255 | { |
256 | struct tuner_simple_priv *priv = fe->tuner_priv; | 256 | struct tuner_simple_priv *priv = fe->tuner_priv; |
257 | u8 tuneraddr; | 257 | u8 tuneraddr; |
@@ -323,14 +323,12 @@ static int simple_std_setup(struct dvb_frontend *fe, | |||
323 | break; | 323 | break; |
324 | 324 | ||
325 | case TUNER_PHILIPS_TUV1236D: | 325 | case TUNER_PHILIPS_TUV1236D: |
326 | { | ||
326 | /* 0x40 -> ATSC antenna input 1 */ | 327 | /* 0x40 -> ATSC antenna input 1 */ |
327 | /* 0x48 -> ATSC antenna input 2 */ | 328 | /* 0x48 -> ATSC antenna input 2 */ |
328 | /* 0x00 -> NTSC antenna input 1 */ | 329 | /* 0x00 -> NTSC antenna input 1 */ |
329 | /* 0x08 -> NTSC antenna input 2 */ | 330 | /* 0x08 -> NTSC antenna input 2 */ |
330 | buffer[0] = 0x14; | 331 | u8 buffer[4] = { 0x14, 0x00, 0x17, 0x00}; |
331 | buffer[1] = 0x00; | ||
332 | buffer[2] = 0x17; | ||
333 | buffer[3] = 0x00; | ||
334 | *cb &= ~0x40; | 332 | *cb &= ~0x40; |
335 | if (params->std & V4L2_STD_ATSC) { | 333 | if (params->std & V4L2_STD_ATSC) { |
336 | *cb |= 0x40; | 334 | *cb |= 0x40; |
@@ -351,6 +349,7 @@ static int simple_std_setup(struct dvb_frontend *fe, | |||
351 | /* FIXME: input */ | 349 | /* FIXME: input */ |
352 | break; | 350 | break; |
353 | } | 351 | } |
352 | } | ||
354 | 353 | ||
355 | return 0; | 354 | return 0; |
356 | } | 355 | } |
@@ -509,7 +508,7 @@ static int simple_set_tv_freq(struct dvb_frontend *fe, | |||
509 | offset / 16, offset % 16 * 100 / 16, div); | 508 | offset / 16, offset % 16 * 100 / 16, div); |
510 | 509 | ||
511 | /* tv norm specific stuff for multi-norm tuners */ | 510 | /* tv norm specific stuff for multi-norm tuners */ |
512 | simple_std_setup(fe, params, &buffer[1], &config, &cb); | 511 | simple_std_setup(fe, params, &config, &cb); |
513 | 512 | ||
514 | if (t_params->cb_first_if_lower_freq && div < priv->last_div) { | 513 | if (t_params->cb_first_if_lower_freq && div < priv->last_div) { |
515 | buffer[0] = config; | 514 | buffer[0] = config; |