From a230e55d92347e09d9ba2e97096df114b2dfaf2d Mon Sep 17 00:00:00 2001 From: Al Viro Date: Wed, 21 May 2008 00:30:41 -0300 Subject: V4L/DVB (7957): fix the roothole in av7110_av.c direct dereferencing from user-supplied address Signed-off-by: Al Viro Reviewed-by: Oliver Endriss Signed-off-by: Mauro Carvalho Chehab --- drivers/media/dvb/ttpci/av7110_av.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) (limited to 'drivers/media/dvb/ttpci') diff --git a/drivers/media/dvb/ttpci/av7110_av.c b/drivers/media/dvb/ttpci/av7110_av.c index 3e6b650fbb81..ec55a968f204 100644 --- a/drivers/media/dvb/ttpci/av7110_av.c +++ b/drivers/media/dvb/ttpci/av7110_av.c @@ -965,8 +965,9 @@ static u8 iframe_header[] = { 0x00, 0x00, 0x01, 0xe0, 0x00, 0x00, 0x80, 0x00, 0x static int play_iframe(struct av7110 *av7110, char __user *buf, unsigned int len, int nonblock) { - int i, n; + unsigned i, n; int progressive = 0; + int match = 0; dprintk(2, "av7110:%p, \n", av7110); @@ -975,12 +976,31 @@ static int play_iframe(struct av7110 *av7110, char __user *buf, unsigned int len return -EBUSY; } - for (i = 0; i < len - 5; i++) { - /* get progressive flag from picture extension */ - if (buf[i] == 0x00 && buf[i+1] == 0x00 && - buf[i+2] == 0x01 && (unsigned char)buf[i+3] == 0xb5 && - (buf[i+4] & 0xf0) == 0x10) - progressive = buf[i+5] & 0x08; + /* search in buf for instances of 00 00 01 b5 1? */ + for (i = 0; i < len; i++) { + unsigned char c; + if (get_user(c, buf + i)) + return -EFAULT; + if (match == 5) { + progressive = c & 0x08; + match = 0; + } + if (c == 0x00) { + match = (match == 1 || match == 2) ? 2 : 1; + continue; + } + switch (match++) { + case 2: if (c == 0x01) + continue; + break; + case 3: if (c == 0xb5) + continue; + break; + case 4: if ((c & 0xf0) == 0x10) + continue; + break; + } + match = 0; } /* setting n always > 1, fixes problems when playing stillframes -- cgit v1.2.1 From 3e085629bc921c37c1bb2e2fb6227fa14de14682 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Wed, 21 May 2008 00:30:51 -0300 Subject: V4L/DVB (7958): fix unaligned access in av7110.c Signed-off-by: Al Viro Signed-off-by: Mauro Carvalho Chehab --- drivers/media/dvb/ttpci/av7110.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'drivers/media/dvb/ttpci') diff --git a/drivers/media/dvb/ttpci/av7110.c b/drivers/media/dvb/ttpci/av7110.c index 747e7f1a6267..f05d43d8b5cf 100644 --- a/drivers/media/dvb/ttpci/av7110.c +++ b/drivers/media/dvb/ttpci/av7110.c @@ -51,6 +51,7 @@ #include #include #include +#include #include @@ -1461,9 +1462,9 @@ static int check_firmware(struct av7110* av7110) ptr += 4; /* check dpram file */ - crc = ntohl(*(u32*) ptr); + crc = get_unaligned_be32(ptr); ptr += 4; - len = ntohl(*(u32*) ptr); + len = get_unaligned_be32(ptr); ptr += 4; if (len >= 512) { printk("dvb-ttpci: dpram file is way too big.\n"); @@ -1478,9 +1479,9 @@ static int check_firmware(struct av7110* av7110) ptr += len; /* check root file */ - crc = ntohl(*(u32*) ptr); + crc = get_unaligned_be32(ptr); ptr += 4; - len = ntohl(*(u32*) ptr); + len = get_unaligned_be32(ptr); ptr += 4; if (len <= 200000 || len >= 300000 || -- cgit v1.2.1