V4L/DVB: tm6000: Don't copy outside the buffer
tm6000 tm6000_irq_callback :urb resubmit failed (error=-1)
BUG: unable to handle kernel paging request at 000000000100f700
IP: [<ffffffffa007ee79>] tm6000_irq_callback+0x51e/0xac7 [tm6000]
(gdb) list * tm6000_irq_callback+0x51e
0x2e79 is in tm6000_irq_callback (drivers/staging/tm6000/tm6000-video.c:363).
358 dev->isoc_ctl.tmp_buf_len--;
359 }
360 if (dev->isoc_ctl.tmp_buf_len) {
361 memcpy (&header,p,
362 dev->isoc_ctl.tmp_buf_l$
363 memcpy (((u8 *)header)+
364 dev->isoc_ctl.tmp_buf,
365 ptr,
366 4-dev->isoc_ctl.tmp_buf$
367 ptr+=4-dev->isoc_ctl.tmp_buf_le$
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
diff --git a/drivers/staging/tm6000/tm6000-video.c b/drivers/staging/tm6000/tm6000-video.c
index edc5942..bed758f 100644
--- a/drivers/staging/tm6000/tm6000-video.c
+++ b/drivers/staging/tm6000/tm6000-video.c
@@ -360,13 +360,13 @@
dev->isoc_ctl.tmp_buf_len--;
}
if (dev->isoc_ctl.tmp_buf_len) {
- memcpy (&header,p,
+ memcpy(&header, p,
dev->isoc_ctl.tmp_buf_len);
- memcpy (((u8 *)header)+
- dev->isoc_ctl.tmp_buf,
+ memcpy((u8 *)&header +
+ dev->isoc_ctl.tmp_buf_len,
ptr,
- 4-dev->isoc_ctl.tmp_buf_len);
- ptr+=4-dev->isoc_ctl.tmp_buf_len;
+ 4 - dev->isoc_ctl.tmp_buf_len);
+ ptr += 4 - dev->isoc_ctl.tmp_buf_len;
goto HEADER;
}
}