Commit 8e4d86e2 authored by Dan Carpenter's avatar Dan Carpenter Committed by Mauro Carvalho Chehab
Browse files

media: saa7146: fix array overflow in vidioc_s_audio() 



The "a->index" value comes from the user via the ioctl.  The problem is
that the shift can wrap resulting in setting "mxb->cur_audinput" to an
invalid value, which later results in an array overflow.

Fixes: 66804277 ("[media] mxb: fix audio handling")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
parent 28c1e371

drivers/media/pci/saa7146/mxb.c

+10 −9
Original line number Diff line number Diff line
@@ -641,7 +641,10 @@ static int vidioc_s_audio(struct file *file, void *fh, const struct v4l2_audio * 
	struct mxb *mxb = (struct mxb *)dev->ext_priv;



	DEB_D("VIDIOC_S_AUDIO %d\n", a->index);

	if (mxb_inputs[mxb->cur_input].audioset & (1 << a->index)) {

	if (a->index >= 32 ||

	    !(mxb_inputs[mxb->cur_input].audioset & (1 << a->index)))

		return -EINVAL;



	if (mxb->cur_audinput != a->index) {

		mxb->cur_audinput = a->index;

		tea6420_route(mxb, a->index);
@@ -650,8 +653,6 @@ static int vidioc_s_audio(struct file *file, void *fh, const struct v4l2_audio * 
	}

	return 0;

}

	return -EINVAL;

}



#ifdef CONFIG_VIDEO_ADV_DEBUG

static int vidioc_g_register(struct file *file, void *fh, struct v4l2_dbg_register *reg)