On Wed Sep 3 02:28:14 2025 +0300, Ivan Abramov wrote:
> It's possible for max1 to remain -1 if msp_read() always fail. This
> variable is further used as index for accessing arrays.
>
> Fix that by checking max1 prior to array accesses.
>
> It seems that restart is the preferable action in case of out-of-bounds
> value.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes
> (VIDIOC_G/S_TUNER)")
> Cc: [email protected]
> Signed-off-by: Ivan Abramov <[email protected]>
> Signed-off-by: Hans Verkuil <[email protected]>
Patch committed.
Thanks,
Hans Verkuil
drivers/media/i2c/msp3400-kthreads.c | 2 ++
1 file changed, 2 insertions(+)
---
diff --git a/drivers/media/i2c/msp3400-kthreads.c
b/drivers/media/i2c/msp3400-kthreads.c
index ecabc0e1d32e..1d9f41dd7c21 100644
--- a/drivers/media/i2c/msp3400-kthreads.c
+++ b/drivers/media/i2c/msp3400-kthreads.c
@@ -596,6 +596,8 @@ restart:
"carrier2 val: %5d / %s\n", val, cd[i].name);
}
+ if (max1 < 0 || max1 > 3)
+ goto restart;
/* program the msp3400 according to the results */
state->main = msp3400c_carrier_detect_main[max1].cdo;
switch (max1) {
_______________________________________________
linuxtv-commits mailing list -- [email protected]
To unsubscribe send an email to [email protected]
