[media] firewire: firedtv-avc: potential buffer overflow "program_info_length" is user controlled and can go up to 4095. The operand[] array has 509 bytes so we need to add a limit here to prevent buffer overflows. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

commit: 3011e5e592a2d31556cc3eff335a1ecccd473fa0 [log] [tgz]
author: Dan Carpenter <dan.carpenter@oracle.com> Mon Sep 08 08:18:43 2014 -0300
committer: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Tue Sep 23 16:13:37 2014 -0300
tree: 7285f69453ed9f0822019e42afb3ef10fe39c8c8
parent: f2e323ec96077642d397bb1c355def536d489d16 [diff]
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index d1a1a13..ac17567 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c

@@ -1157,6 +1157,10 @@
 		if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
 			dev_err(fdtv->device,
 				"invalid pmt_cmd_id %d\n", pmt_cmd_id);
+		if (program_info_length > sizeof(c->operand) - write_pos) {
+			ret = -EINVAL;
+			goto out;
+		}
 
 		memcpy(&c->operand[write_pos], &msg[read_pos],
 		       program_info_length);
@@ -1180,6 +1184,11 @@
 				dev_err(fdtv->device, "invalid pmt_cmd_id %d "
 					"at stream level\n", pmt_cmd_id);
 
+			if (es_info_length > sizeof(c->operand) - write_pos) {
+				ret = -EINVAL;
+				goto out;
+			}
+
 			memcpy(&c->operand[write_pos], &msg[read_pos],
 			       es_info_length);
 			read_pos += es_info_length;
commit	3011e5e592a2d31556cc3eff335a1ecccd473fa0	[log] [tgz]
author	Dan Carpenter <dan.carpenter@oracle.com>	Mon Sep 08 08:18:43 2014 -0300
committer	Mauro Carvalho Chehab <mchehab@osg.samsung.com>	Tue Sep 23 16:13:37 2014 -0300
tree	7285f69453ed9f0822019e42afb3ef10fe39c8c8
parent	f2e323ec96077642d397bb1c355def536d489d16 [diff]