From: Mauro Carvalho Chehab Date: Sun, 2 May 2010 20:14:33 +0000 (-0300) Subject: V4L/DVB: tm6000: Don't copy outside the buffer X-Git-Tag: master-2010-06-02~111^2~97 X-Git-Url: http://pileus.org/git/?a=commitdiff_plain;h=801dd3b32d2a09a883d0cf182eb6956945e5a429;p=~andy%2Flinux V4L/DVB: tm6000: Don't copy outside the buffer tm6000 tm6000_irq_callback :urb resubmit failed (error=-1) BUG: unable to handle kernel paging request at 000000000100f700 IP: [] tm6000_irq_callback+0x51e/0xac7 [tm6000] (gdb) list * tm6000_irq_callback+0x51e 0x2e79 is in tm6000_irq_callback (drivers/staging/tm6000/tm6000-video.c:363). 358 dev->isoc_ctl.tmp_buf_len--; 359 } 360 if (dev->isoc_ctl.tmp_buf_len) { 361 memcpy (&header,p, 362 dev->isoc_ctl.tmp_buf_l$ 363 memcpy (((u8 *)header)+ 364 dev->isoc_ctl.tmp_buf, 365 ptr, 366 4-dev->isoc_ctl.tmp_buf$ 367 ptr+=4-dev->isoc_ctl.tmp_buf_le$ Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/staging/tm6000/tm6000-video.c b/drivers/staging/tm6000/tm6000-video.c index edc59424d26..bed758fe4c3 100644 --- a/drivers/staging/tm6000/tm6000-video.c +++ b/drivers/staging/tm6000/tm6000-video.c @@ -360,13 +360,13 @@ static int copy_streams(u8 *data, u8 *out_p, unsigned long len, dev->isoc_ctl.tmp_buf_len--; } if (dev->isoc_ctl.tmp_buf_len) { - memcpy (&header,p, + memcpy(&header, p, dev->isoc_ctl.tmp_buf_len); - memcpy (((u8 *)header)+ - dev->isoc_ctl.tmp_buf, + memcpy((u8 *)&header + + dev->isoc_ctl.tmp_buf_len, ptr, - 4-dev->isoc_ctl.tmp_buf_len); - ptr+=4-dev->isoc_ctl.tmp_buf_len; + 4 - dev->isoc_ctl.tmp_buf_len); + ptr += 4 - dev->isoc_ctl.tmp_buf_len; goto HEADER; } }