aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMauro Carvalho Chehab <mchehab@infradead.org>2008-04-22 13:42:13 -0400
committerMauro Carvalho Chehab <mchehab@infradead.org>2008-04-24 13:07:44 -0400
commitf13613acfb1a71895ac886dc831d6ae4e20e241a (patch)
treeead5941f87548b9848837dab2d78d364913037de
parent6a6179b6db401acde5798b4da0fdff32b126ee15 (diff)
V4L/DVB (7235): tuner-simple: fix a buffer overflow
simple_set_tv() creates a buffer with 4 elements, and calls simple_std_setup(), passing &buffer[1]. This makes the 5th element of buffer to be initialized to 0, overriding some area outside the buffer. Also, simple_std_setup() receives a buffer as parameter, but the buffer is just overriden after the call, so, it doesn't make much sense to pass it as a parameter. This patch removes buffer[] from the function call, creating, instead, a local var to be used internally. Thanks to Axel Rometsch <axel.rometsch@freenet.de> for pointing the issue. Reviewed-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
-rw-r--r--drivers/media/video/tuner-simple.c11
1 files changed, 5 insertions, 6 deletions
diff --git a/drivers/media/video/tuner-simple.c b/drivers/media/video/tuner-simple.c
index dc2467159ece..ee5ef860700a 100644
--- a/drivers/media/video/tuner-simple.c
+++ b/drivers/media/video/tuner-simple.c
@@ -251,7 +251,7 @@ static int simple_config_lookup(struct dvb_frontend *fe,
251 251
252static int simple_std_setup(struct dvb_frontend *fe, 252static int simple_std_setup(struct dvb_frontend *fe,
253 struct analog_parameters *params, 253 struct analog_parameters *params,
254 u8 *buffer, u8 *config, u8 *cb) 254 u8 *config, u8 *cb)
255{ 255{
256 struct tuner_simple_priv *priv = fe->tuner_priv; 256 struct tuner_simple_priv *priv = fe->tuner_priv;
257 u8 tuneraddr; 257 u8 tuneraddr;
@@ -323,14 +323,12 @@ static int simple_std_setup(struct dvb_frontend *fe,
323 break; 323 break;
324 324
325 case TUNER_PHILIPS_TUV1236D: 325 case TUNER_PHILIPS_TUV1236D:
326 {
326 /* 0x40 -> ATSC antenna input 1 */ 327 /* 0x40 -> ATSC antenna input 1 */
327 /* 0x48 -> ATSC antenna input 2 */ 328 /* 0x48 -> ATSC antenna input 2 */
328 /* 0x00 -> NTSC antenna input 1 */ 329 /* 0x00 -> NTSC antenna input 1 */
329 /* 0x08 -> NTSC antenna input 2 */ 330 /* 0x08 -> NTSC antenna input 2 */
330 buffer[0] = 0x14; 331 u8 buffer[4] = { 0x14, 0x00, 0x17, 0x00};
331 buffer[1] = 0x00;
332 buffer[2] = 0x17;
333 buffer[3] = 0x00;
334 *cb &= ~0x40; 332 *cb &= ~0x40;
335 if (params->std & V4L2_STD_ATSC) { 333 if (params->std & V4L2_STD_ATSC) {
336 *cb |= 0x40; 334 *cb |= 0x40;
@@ -351,6 +349,7 @@ static int simple_std_setup(struct dvb_frontend *fe,
351 /* FIXME: input */ 349 /* FIXME: input */
352 break; 350 break;
353 } 351 }
352 }
354 353
355 return 0; 354 return 0;
356} 355}
@@ -509,7 +508,7 @@ static int simple_set_tv_freq(struct dvb_frontend *fe,
509 offset / 16, offset % 16 * 100 / 16, div); 508 offset / 16, offset % 16 * 100 / 16, div);
510 509
511 /* tv norm specific stuff for multi-norm tuners */ 510 /* tv norm specific stuff for multi-norm tuners */
512 simple_std_setup(fe, params, &buffer[1], &config, &cb); 511 simple_std_setup(fe, params, &config, &cb);
513 512
514 if (t_params->cb_first_if_lower_freq && div < priv->last_div) { 513 if (t_params->cb_first_if_lower_freq && div < priv->last_div) {
515 buffer[0] = config; 514 buffer[0] = config;