DivestOS/Patches/Linux_CVEs/CVE-2014-9881/ANY/0.patch
2017-10-29 22:14:37 -04:00

64 lines
2.0 KiB
Diff

From ba3f404a10b3bb7e9c20440837df3cd35c5d0c4b Mon Sep 17 00:00:00 2001
From: Ayaz Ahmad <aahmad@codeaurora.org>
Date: Thu, 31 Oct 2013 19:08:05 +0530
Subject: radio: iris: Prevent probable overflow
casting a unsigned int into an integer, integer to
unsigned int may cause buffer overflow.
Change-Id: I54be4d4c5470616a59a772c587fe6d5f32575c32
CRs-Fixed: 539008
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
---
drivers/media/radio/radio-iris.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
index bfb1088..12fd7cf 100644
--- a/drivers/media/radio/radio-iris.c
+++ b/drivers/media/radio/radio-iris.c
@@ -3032,7 +3032,7 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
struct v4l2_ext_controls *ctrl)
{
int retval = 0;
- int bytes_to_copy;
+ size_t bytes_to_copy;
struct hci_fm_tx_ps tx_ps;
struct hci_fm_tx_rt tx_rt;
struct hci_fm_def_data_wr_req default_data;
@@ -3041,14 +3041,20 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
struct iris_device *radio = video_get_drvdata(video_devdata(file));
char *data = NULL;
+ if ((ctrl == NULL) || (ctrl->controls == NULL)
+ || (ctrl->count == 0)) {
+ retval = -EINVAL;
+ return retval;
+ }
+
switch ((ctrl->controls[0]).id) {
case V4L2_CID_RDS_TX_PS_NAME:
FMDBG("In V4L2_CID_RDS_TX_PS_NAME\n");
/*Pass a sample PS string */
memset(tx_ps.ps_data, 0, MAX_PS_LENGTH);
- bytes_to_copy = min((int)(ctrl->controls[0]).size,
- MAX_PS_LENGTH);
+ bytes_to_copy = min_t(size_t, ctrl->controls[0].size,
+ MAX_PS_LENGTH);
data = (ctrl->controls[0]).string;
if (copy_from_user(tx_ps.ps_data,
@@ -3065,7 +3071,7 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
break;
case V4L2_CID_RDS_TX_RADIO_TEXT:
bytes_to_copy =
- min((int)(ctrl->controls[0]).size, MAX_RT_LENGTH);
+ min_t(size_t, (ctrl->controls[0]).size, MAX_RT_LENGTH);
data = (ctrl->controls[0]).string;
memset(tx_rt.rt_data, 0, MAX_RT_LENGTH);
--
cgit v1.1