[bug report] [media] dib8000: potential off by one

* [bug report] [media] dib8000: potential off by one
@ 2019-02-12 12:48 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2019-02-12 12:48 UTC (permalink / raw)
  To: pboettcher; +Cc: linux-media

Hello Patrick Boettcher,

The patch 173a64cb3fcf: "[media] dib8000: enhancement" from Apr 22,
2013, leads to the following static checker warning:

	drivers/media/dvb-frontends/dib8000.c:2132 dib8000_get_init_prbs()
	error: buffer overflow 'lut_prbs_2k' 14 <= 14

drivers/media/dvb-frontends/dib8000.c
    2123 static u16 dib8000_get_init_prbs(struct dib8000_state *state, u16 subchannel)
    2124 {
    2125 	int sub_channel_prbs_group = 0;
    2126 
    2127 	sub_channel_prbs_group = (subchannel / 3) + 1;
    2128 	dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n", sub_channel_prbs_group, subchannel, lut_prbs_8k[sub_channel_prbs_group]);
    2129 
    2130 	switch (state->fe[0]->dtv_property_cache.transmission_mode) {
    2131 	case TRANSMISSION_MODE_2K:
--> 2132 			return lut_prbs_2k[sub_channel_prbs_group];
    2133 	case TRANSMISSION_MODE_4K:
    2134 			return lut_prbs_4k[sub_channel_prbs_group];
    2135 	default:
    2136 	case TRANSMISSION_MODE_8K:
    2137 			return lut_prbs_8k[sub_channel_prbs_group];
    2138 	}
    2139 }

[ snip ]

  3305                  break;
  3306  
  3307          case CT_DEMOD_STEP_11:  /* 41 : init prbs autosearch */
  3308                  if (state->subchannel <= 41) {
                            ^^^^^^^^^^^^^^^^^^^^^^^
The problem is here.  If ->subchannel is 41 then we are off by one.
In the original code this was something like state->subchannel % 41 so
I suspect the fix is to change <= to just < but I'm not totally sure.

  3309                          dib8000_set_subchannel_prbs(state, dib8000_get_init_prbs(state, state->subchannel));
  3310                          *tune_state = CT_DEMOD_STEP_9;
  3311                  } else {
  3312                          *tune_state = CT_DEMOD_STOP;
  3313                          state->status = FE_STATUS_TUNE_FAILED;
  3314                  }
  3315                  break;
  3316  
  3317          default:
  3318                  break;
  3319          }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread