From 3cc2691227203c00cac1d82d6b0772224d5c87b2 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Thu, 22 Sep 2016 14:09:18 -0300 Subject: [PATCH] [media] ttusb_dec: avoid the risk of go past buffer Fixes this smatch warning: drivers/media/usb/ttusb-dec/ttusb_dec.c:243 ttusb_dec_handle_irq() error: buffer overflow 'rc_keys' 26 <= 126 As the RC keys should be enabled previously, via: set_bit(rc_keys[i], input_dev->keybit); It wouldn't go past the buffer in practice. Yet, as bad things may happen when going past buffer, it doesn't hurt adding a check here. While here, fix CodingStyle issues on the routine. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/usb/ttusb-dec/ttusb_dec.c | 30 +++++++++++++++---------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c index 4e36e24cb3a6..4e7671a3a1e4 100644 --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c @@ -206,7 +206,7 @@ static void ttusb_dec_set_model(struct ttusb_dec *dec, static void ttusb_dec_handle_irq( struct urb *urb) { - struct ttusb_dec * dec = urb->context; + struct ttusb_dec *dec = urb->context; char *buffer = dec->irq_buffer; int retval; @@ -227,25 +227,31 @@ static void ttusb_dec_handle_irq( struct urb *urb) goto exit; } - if( (buffer[0] == 0x1) && (buffer[2] == 0x15) ) { - /* IR - Event */ - /* this is an fact a bit too simple implementation; + if ((buffer[0] == 0x1) && (buffer[2] == 0x15)) { + /* + * IR - Event + * + * this is an fact a bit too simple implementation; * the box also reports a keyrepeat signal * (with buffer[3] == 0x40) in an intervall of ~100ms. * But to handle this correctly we had to imlemenent some * kind of timer which signals a 'key up' event if no * keyrepeat signal is received for lets say 200ms. * this should/could be added later ... - * for now lets report each signal as a key down and up*/ - dprintk("%s:rc signal:%d\n", __func__, buffer[4]); - input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 1); - input_sync(dec->rc_input_dev); - input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 0); - input_sync(dec->rc_input_dev); + * for now lets report each signal as a key down and up + */ + if (buffer[4] - 1 < ARRAY_SIZE(rc_keys)) { + dprintk("%s:rc signal:%d\n", __func__, buffer[4]); + input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 1); + input_sync(dec->rc_input_dev); + input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 0); + input_sync(dec->rc_input_dev); + } } -exit: retval = usb_submit_urb(urb, GFP_ATOMIC); - if(retval) +exit: + retval = usb_submit_urb(urb, GFP_ATOMIC); + if (retval) printk("%s - usb_commit_urb failed with result: %d\n", __func__, retval); }