From f13613acfb1a71895ac886dc831d6ae4e20e241a Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <mchehab@infradead.org>
Date: Tue, 22 Apr 2008 14:42:13 -0300
Subject: V4L/DVB (7235): tuner-simple: fix a buffer overflow

simple_set_tv() creates a buffer with 4 elements, and calls
simple_std_setup(), passing &buffer[1]. This makes the 5th element of buffer to
be initialized to 0, overriding some area outside the buffer.

Also, simple_std_setup() receives a buffer as parameter, but the buffer is
just overriden after the call, so, it doesn't make much sense to pass it as a
parameter.

This patch removes buffer[] from the function call, creating, instead, a local
var to be used internally.

Thanks to Axel Rometsch <axel.rometsch@freenet.de> for pointing the issue.

Reviewed-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
---
 drivers/media/video/tuner-simple.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'drivers/media')

diff --git a/drivers/media/video/tuner-simple.c b/drivers/media/video/tuner-simple.c
index dc2467159ece..ee5ef860700a 100644
--- a/drivers/media/video/tuner-simple.c
+++ b/drivers/media/video/tuner-simple.c
@@ -251,7 +251,7 @@ static int simple_config_lookup(struct dvb_frontend *fe,
 
 static int simple_std_setup(struct dvb_frontend *fe,
 			    struct analog_parameters *params,
-			    u8 *buffer, u8 *config, u8 *cb)
+			    u8 *config, u8 *cb)
 {
 	struct tuner_simple_priv *priv = fe->tuner_priv;
 	u8 tuneraddr;
@@ -323,14 +323,12 @@ static int simple_std_setup(struct dvb_frontend *fe,
 		break;
 
 	case TUNER_PHILIPS_TUV1236D:
+	{
 		/* 0x40 -> ATSC antenna input 1 */
 		/* 0x48 -> ATSC antenna input 2 */
 		/* 0x00 -> NTSC antenna input 1 */
 		/* 0x08 -> NTSC antenna input 2 */
-		buffer[0] = 0x14;
-		buffer[1] = 0x00;
-		buffer[2] = 0x17;
-		buffer[3] = 0x00;
+		u8 buffer[4] = { 0x14, 0x00, 0x17, 0x00};
 		*cb &= ~0x40;
 		if (params->std & V4L2_STD_ATSC) {
 			*cb |= 0x40;
@@ -351,6 +349,7 @@ static int simple_std_setup(struct dvb_frontend *fe,
 		/* FIXME: input */
 		break;
 	}
+	}
 
 	return 0;
 }
@@ -509,7 +508,7 @@ static int simple_set_tv_freq(struct dvb_frontend *fe,
 		  offset / 16, offset % 16 * 100 / 16, div);
 
 	/* tv norm specific stuff for multi-norm tuners */
-	simple_std_setup(fe, params, &buffer[1], &config, &cb);
+	simple_std_setup(fe, params, &config, &cb);
 
 	if (t_params->cb_first_if_lower_freq && div < priv->last_div) {
 		buffer[0] = config;
-- 
cgit v1.2.3