cx18_i2c_register() is called in cx18_init_subdevs() with index
greater than length of hw_bus array, that will cause array overrun,
introduce a helper cx18_get_max_bus_num() to void it.
Signed-off-by: Ethan Zhao <ethan.ker...@gmail.com>
---
drivers/media/pci/cx18/cx18-driver.c | 2 +-
drivers/media/pci/cx18/cx18-i2c.c | 5 +++++
drivers/media/pci/cx18/cx18-i2c.h | 1 +
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/cx18/cx18-driver.c
b/drivers/media/pci/cx18/cx18-driver.c
index 6386ced..dadcd4a 100644
--- a/drivers/media/pci/cx18/cx18-driver.c
+++ b/drivers/media/pci/cx18/cx18-driver.c
@@ -856,7 +856,7 @@ static void cx18_init_subdevs(struct cx18 *cx)
u32 device;
int i;
- for (i = 0, device = 1; i < 32; i++, device <<= 1) {
+ for (i = 0, device = 1; i < cx18_get_max_bus_num(); i++, device <<= 1) {
if (!(device & hw))
continue;
diff --git a/drivers/media/pci/cx18/cx18-i2c.c
b/drivers/media/pci/cx18/cx18-i2c.c
index 4af8cd6..e0e8193 100644
--- a/drivers/media/pci/cx18/cx18-i2c.c
+++ b/drivers/media/pci/cx18/cx18-i2c.c
@@ -108,6 +108,11 @@ static int cx18_i2c_new_ir(struct cx18 *cx, struct
i2c_adapter *adap, u32 hw,
-1 : 0;
}
+int cx18_get_max_bus_num()
+{
+ return sizeof(hw_bus);
+}
+
int cx18_i2c_register(struct cx18 *cx, unsigned idx)
{
struct v4l2_subdev *sd;
diff --git a/drivers/media/pci/cx18/cx18-i2c.h
b/drivers/media/pci/cx18/cx18-i2c.h
index 1180fdc..8cce205 100644
--- a/drivers/media/pci/cx18/cx18-i2c.h
+++ b/drivers/media/pci/cx18/cx18-i2c.h
@@ -21,6 +21,7 @@
* 02111-1307 USA
*/
+int cx18_get_max_bus_num();
int cx18_i2c_register(struct cx18 *cx, unsigned idx);
struct v4l2_subdev *cx18_find_hw(struct cx18 *cx, u32 hw);
--
1.8.3.4 (Apple Git-47)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
