evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

V4L/DVB (4070): Zoran strncpy() fix

Browse source 
The zoran driver uses strncpy() in an unsafe way.  This patch uses the proper
sizeof()-1 size parameter.  Since all strncpy() targets are initialised with
memset() the trailing '\0' is already set.  Where std->name was the target for
the strncpy() we overwrote 8 Bytes of the std structure with zeros.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
This commit is contained in:
Eric Sesterhenn 2006-06-06 11:20:08 -03:00 committed by Mauro Carvalho Chehab
parent 5e87efa3b2
commit 845f16abad
2 changed files with 15 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
drivers/media/video/zoran_driver.c
View file

@ -2048,7 +2048,7 @@ zoran_do_ioctl (struct inode *inode,
dprintk(3, KERN_DEBUG "%s: VIDIOCGCAP\n", ZR_DEVNAME(zr)); dprintk(3, KERN_DEBUG "%s: VIDIOCGCAP\n", ZR_DEVNAME(zr));
memset(vcap, 0, sizeof(struct video_capability)); memset(vcap, 0, sizeof(struct video_capability));
strncpy(vcap->name, ZR_DEVNAME(zr), sizeof(vcap->name)); strncpy(vcap->name, ZR_DEVNAME(zr), sizeof(vcap->name)-1);
vcap->type = ZORAN_VID_TYPE; vcap->type = ZORAN_VID_TYPE;
vcap->channels = zr->card.inputs; vcap->channels = zr->card.inputs;
@ -2690,8 +2690,8 @@ zoran_do_ioctl (struct inode *inode,
dprintk(3, KERN_DEBUG "%s: VIDIOC_QUERYCAP\n", ZR_DEVNAME(zr)); dprintk(3, KERN_DEBUG "%s: VIDIOC_QUERYCAP\n", ZR_DEVNAME(zr));
memset(cap, 0, sizeof(*cap)); memset(cap, 0, sizeof(*cap));
strncpy(cap->card, ZR_DEVNAME(zr), sizeof(cap->card)); strncpy(cap->card, ZR_DEVNAME(zr), sizeof(cap->card)-1);
strncpy(cap->driver, "zoran", sizeof(cap->driver)); strncpy(cap->driver, "zoran", sizeof(cap->driver)-1);
snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s", snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s",
pci_name(zr->pci_dev)); pci_name(zr->pci_dev));
cap->version = cap->version =
@ -2743,7 +2743,7 @@ zoran_do_ioctl (struct inode *inode,
memset(fmt, 0, sizeof(*fmt)); memset(fmt, 0, sizeof(*fmt));
fmt->index = index; fmt->index = index;
fmt->type = type; fmt->type = type;
strncpy(fmt->description, zoran_formats[i].name, 31); strncpy(fmt->description, zoran_formats[i].name, sizeof(fmt->description)-1);
fmt->pixelformat = zoran_formats[i].fourcc; fmt->pixelformat = zoran_formats[i].fourcc;
if (zoran_formats[i].flags & ZORAN_FORMAT_COMPRESSED) if (zoran_formats[i].flags & ZORAN_FORMAT_COMPRESSED)
fmt->flags |= V4L2_FMT_FLAG_COMPRESSED; fmt->flags |= V4L2_FMT_FLAG_COMPRESSED;
@ -3567,16 +3567,16 @@ zoran_do_ioctl (struct inode *inode,
switch (ctrl->id) { switch (ctrl->id) {
case V4L2_CID_BRIGHTNESS: case V4L2_CID_BRIGHTNESS:
strncpy(ctrl->name, "Brightness", 31); strncpy(ctrl->name, "Brightness", sizeof(ctrl->name)-1);
break; break;
case V4L2_CID_CONTRAST: case V4L2_CID_CONTRAST:
strncpy(ctrl->name, "Contrast", 31); strncpy(ctrl->name, "Contrast", sizeof(ctrl->name)-1);
break; break;
case V4L2_CID_SATURATION: case V4L2_CID_SATURATION:
strncpy(ctrl->name, "Saturation", 31); strncpy(ctrl->name, "Saturation", sizeof(ctrl->name)-1);
break; break;
case V4L2_CID_HUE: case V4L2_CID_HUE:
strncpy(ctrl->name, "Hue", 31); strncpy(ctrl->name, "Hue", sizeof(ctrl->name)-1);
break; break;
} }
@ -3694,7 +3694,7 @@ zoran_do_ioctl (struct inode *inode,
&caps); &caps);
if (caps.flags & VIDEO_DECODER_AUTO) { if (caps.flags & VIDEO_DECODER_AUTO) {
std->id = V4L2_STD_ALL; std->id = V4L2_STD_ALL;
strncpy(std->name, "Autodetect", 31); strncpy(std->name, "Autodetect", sizeof(std->name)-1);
return 0; return 0;
} else } else
return -EINVAL; return -EINVAL;
@ -3702,21 +3702,21 @@ zoran_do_ioctl (struct inode *inode,
switch (std->index) { switch (std->index) {
case 0: case 0:
std->id = V4L2_STD_PAL; std->id = V4L2_STD_PAL;
strncpy(std->name, "PAL", 31); strncpy(std->name, "PAL", sizeof(std->name)-1);
std->frameperiod.numerator = 1; std->frameperiod.numerator = 1;
std->frameperiod.denominator = 25; std->frameperiod.denominator = 25;
std->framelines = zr->card.tvn[0]->Ht; std->framelines = zr->card.tvn[0]->Ht;
break; break;
case 1: case 1:
std->id = V4L2_STD_NTSC; std->id = V4L2_STD_NTSC;
strncpy(std->name, "NTSC", 31); strncpy(std->name, "NTSC", sizeof(std->name)-1);
std->frameperiod.numerator = 1001; std->frameperiod.numerator = 1001;
std->frameperiod.denominator = 30000; std->frameperiod.denominator = 30000;
std->framelines = zr->card.tvn[1]->Ht; std->framelines = zr->card.tvn[1]->Ht;
break; break;
case 2: case 2:
std->id = V4L2_STD_SECAM; std->id = V4L2_STD_SECAM;
strncpy(std->name, "SECAM", 31); strncpy(std->name, "SECAM", sizeof(std->name)-1);
std->frameperiod.numerator = 1; std->frameperiod.numerator = 1;
std->frameperiod.denominator = 25; std->frameperiod.denominator = 25;
std->framelines = zr->card.tvn[2]->Ht; std->framelines = zr->card.tvn[2]->Ht;
@ -3872,7 +3872,7 @@ zoran_do_ioctl (struct inode *inode,
memset(outp, 0, sizeof(*outp)); memset(outp, 0, sizeof(*outp));
outp->index = 0; outp->index = 0;
outp->type = V4L2_OUTPUT_TYPE_ANALOGVGAOVERLAY; outp->type = V4L2_OUTPUT_TYPE_ANALOGVGAOVERLAY;
strncpy(outp->name, "Autodetect", 31); strncpy(outp->name, "Autodetect", sizeof(outp->name)-1);
return 0; return 0;
} }

2
include/linux/videodev2.h
View file

@ -14,7 +14,9 @@
*/ */
#ifndef __LINUX_VIDEODEV2_H #ifndef __LINUX_VIDEODEV2_H
#define __LINUX_VIDEODEV2_H #define __LINUX_VIDEODEV2_H
#ifdef __KERNEL__
#include <linux/time.h> /* need struct timeval */ #include <linux/time.h> /* need struct timeval */
#endif
#include <linux/types.h> #include <linux/types.h>
#include <linux/compiler.h> /* need __user */ #include <linux/compiler.h> /* need __user */