commit 7ac95cf59d59473e680937319594ce0719497e98
author Dan Carpenter <dan.carpenter@oracle.com> Tue Sep 09 09:11:23 2014 -0300
committer Mauro Carvalho Chehab <mchehab@osg.samsung.com> Tue Sep 23 16:13:39 2014 -0300
tree b7cb5b002d0e71aacb17868f228d880cf8d5a2cb
parent cf3b576d52c1f0a204f0c8bdecc22a338f7ca5a4

[media] firewire: firedtv-avc: fix more potential buffer overflow

"program_info_length" is user controlled and can go up to 4095.  The
operand[] array has 509 bytes so we need to add a limit here to prevent
buffer overflows.

The " - 4" in the limit check is because we have 4 bytes more data to
add after the memcpy().

[mchehab@osg.samsung.com: as I merged the version 1 of the patch, I needed
 to rebase to apply just the differences between v1 and v2]
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

drivers/media/firewire/firedtv-avc.c

diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index ac17567..251a556 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1157,7 +1157,7 @@
 		if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
 			dev_err(fdtv->device,
 				"invalid pmt_cmd_id %d\n", pmt_cmd_id);
-		if (program_info_length > sizeof(c->operand) - write_pos) {
+		if (program_info_length > sizeof(c->operand) - 4 - write_pos) {
 			ret = -EINVAL;
 			goto out;
 		}
@@ -1184,7 +1184,8 @@
 				dev_err(fdtv->device, "invalid pmt_cmd_id %d "
 					"at stream level\n", pmt_cmd_id);
 
-			if (es_info_length > sizeof(c->operand) - write_pos) {
+			if (es_info_length > sizeof(c->operand) - 4 -
+					     write_pos) {
 				ret = -EINVAL;
 				goto out;
 			}