git.ipfire.org Git - thirdparty/kernel/stable.git/commit

media: pvrusb2: Prevent a buffer overflow

[ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ]

The ctrl_check_input() function is called from pvr2_ctrl_range_check().
It's supposed to validate user supplied input and return true or false
depending on whether the input is valid or not.  The problem is that
negative shifts or shifts greater than 31 are undefined in C.  In
practice with GCC they result in shift wrapping so this function returns
true for some inputs which are not valid and this could result in a
buffer overflow:

    drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
    warn: uncapped user index 'names[val]'

The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
and the highest valid bit is BIT(4).

Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

author	Dan Carpenter <dan.carpenter@oracle.com>
	Mon, 8 Apr 2019 09:52:38 +0000 (05:52 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 31 May 2019 13:43:28 +0000 (06:43 -0700)
commit	5ffb30e6fa840af9dc4e478eb1c31f0ba40e5f26
tree	4a41e86a02b8c163410b2c1f40f260995c8b537c	tree \| snapshot
parent	02dce75ac8aa16d0ec5a2632286e97204c9f98f7	commit \| diff

drivers/media/usb/pvrusb2/pvrusb2-hdw.c		diff \| blob \| blame \| history
drivers/media/usb/pvrusb2/pvrusb2-hdw.h		diff \| blob \| blame \| history