Commit 09506908 authored by Sean Young's avatar Sean Young Committed by Kleber Sacilotto de Souza

media: technisat-usb2: break out of loop at end of buffer

BugLink: https://bugs.launchpad.net/bugs/1845405

commit 0c4df39e upstream.

Ensure we do not access the buffer beyond the end if no 0xff byte
is encountered.

Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com
Signed-off-by: default avatarSean Young <sean@mess.org>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 8ef64192
...@@ -594,9 +594,9 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a) ...@@ -594,9 +594,9 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
static int technisat_usb2_get_ir(struct dvb_usb_device *d) static int technisat_usb2_get_ir(struct dvb_usb_device *d)
{ {
u8 buf[62], *b; u8 buf[62];
int ret;
struct ir_raw_event ev; struct ir_raw_event ev;
int i, ret;
buf[0] = GET_IR_DATA_VENDOR_REQUEST; buf[0] = GET_IR_DATA_VENDOR_REQUEST;
buf[1] = 0x08; buf[1] = 0x08;
...@@ -632,26 +632,25 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) ...@@ -632,26 +632,25 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
return 0; /* no key pressed */ return 0; /* no key pressed */
/* decoding */ /* decoding */
b = buf+1;
#if 0 #if 0
deb_rc("RC: %d ", ret); deb_rc("RC: %d ", ret);
debug_dump(b, ret, deb_rc); debug_dump(buf + 1, ret, deb_rc);
#endif #endif
ev.pulse = 0; ev.pulse = 0;
while (1) { for (i = 1; i < ARRAY_SIZE(buf); i++) {
ev.pulse = !ev.pulse; if (buf[i] == 0xff) {
ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
ir_raw_event_store(d->rc_dev, &ev);
b++;
if (*b == 0xff) {
ev.pulse = 0; ev.pulse = 0;
ev.duration = 888888*2; ev.duration = 888888*2;
ir_raw_event_store(d->rc_dev, &ev); ir_raw_event_store(d->rc_dev, &ev);
break; break;
} }
ev.pulse = !ev.pulse;
ev.duration = (buf[i] * FIRMWARE_CLOCK_DIVISOR *
FIRMWARE_CLOCK_TICK) / 1000;
ir_raw_event_store(d->rc_dev, &ev);
} }
ir_raw_event_handle(d->rc_dev); ir_raw_event_handle(d->rc_dev);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment