projects
/
deliverable
/
linux.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge branch 'linus' into core/rcu
[deliverable/linux.git]
/
drivers
/
media
/
common
/
tuners
/
tuner-xc2028.c
diff --git
a/drivers/media/common/tuners/tuner-xc2028.c
b/drivers/media/common/tuners/tuner-xc2028.c
index 30eb07b7f9efb13b2c0a071c7b1be84c3f450d0c..4dd1d2421cc529fde892a6204b02dd725d25f277 100644
(file)
--- a/
drivers/media/common/tuners/tuner-xc2028.c
+++ b/
drivers/media/common/tuners/tuner-xc2028.c
@@
-15,6
+15,7
@@
#include <linux/delay.h>
#include <media/tuner.h>
#include <linux/mutex.h>
#include <linux/delay.h>
#include <media/tuner.h>
#include <linux/mutex.h>
+#include <asm/unaligned.h>
#include "tuner-i2c.h"
#include "tuner-xc2028.h"
#include "tuner-xc2028-types.h"
#include "tuner-i2c.h"
#include "tuner-xc2028.h"
#include "tuner-xc2028-types.h"
@@
-292,10
+293,10
@@
static int load_all_firmwares(struct dvb_frontend *fe)
name[sizeof(name) - 1] = 0;
p += sizeof(name) - 1;
name[sizeof(name) - 1] = 0;
p += sizeof(name) - 1;
- priv->firm_version =
le16_to_cpu(*(__u16 *)
p);
+ priv->firm_version =
get_unaligned_le16(
p);
p += 2;
p += 2;
- n_array =
le16_to_cpu(*(__u16 *)
p);
+ n_array =
get_unaligned_le16(
p);
p += 2;
tuner_info("Loading %d firmware images from %s, type: %s, ver %d.%d\n",
p += 2;
tuner_info("Loading %d firmware images from %s, type: %s, ver %d.%d\n",
@@
-324,26
+325,26
@@
static int load_all_firmwares(struct dvb_frontend *fe)
}
/* Checks if there's enough bytes to read */
}
/* Checks if there's enough bytes to read */
- if (p + sizeof(type) + sizeof(id) + sizeof(size) > endp) {
- tuner_err("Firmware header is incomplete!\n");
- goto corrupt;
- }
+ if (endp - p < sizeof(type) + sizeof(id) + sizeof(size))
+ goto header;
- type =
le32_to_cpu(*(__u32 *)
p);
+ type =
get_unaligned_le32(
p);
p += sizeof(type);
p += sizeof(type);
- id =
le64_to_cpu(*(v4l2_std_id *)
p);
+ id =
get_unaligned_le64(
p);
p += sizeof(id);
if (type & HAS_IF) {
p += sizeof(id);
if (type & HAS_IF) {
- int_freq =
le16_to_cpu(*(__u16 *)
p);
+ int_freq =
get_unaligned_le16(
p);
p += sizeof(int_freq);
p += sizeof(int_freq);
+ if (endp - p < sizeof(size))
+ goto header;
}
}
- size =
le32_to_cpu(*(__u32 *)
p);
+ size =
get_unaligned_le32(
p);
p += sizeof(size);
p += sizeof(size);
- if (
(!size) || (size + p > endp)
) {
+ if (
!size || size > endp - p
) {
tuner_err("Firmware type ");
dump_firm_type(type);
printk("(%x), id %llx is corrupted "
tuner_err("Firmware type ");
dump_firm_type(type);
printk("(%x), id %llx is corrupted "
@@
-382,6
+383,8
@@
static int load_all_firmwares(struct dvb_frontend *fe)
goto done;
goto done;
+header:
+ tuner_err("Firmware header is incomplete!\n");
corrupt:
rc = -EINVAL;
tuner_err("Error: firmware file is corrupted!\n");
corrupt:
rc = -EINVAL;
tuner_err("Error: firmware file is corrupted!\n");
This page took
0.099344 seconds
and
5
git commands to generate.