media: rc: ensure we do not read out of bounds If rc_validate_filter() is called for CEC or XMP, then we would read beyond the end of the array. Suggested-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

commit: 2168b416c8326cc2edff9d986feebc569cf9ec10 [log] [tgz]
author: Sean Young <sean@mess.org> Mon Aug 07 09:21:29 2017 -0400
committer: Mauro Carvalho Chehab <mchehab@s-opensource.com> Sun Aug 20 09:57:54 2017 -0400
tree: f919b0e514ef8b181e89eea8c72e1b459f3e4064
parent: 86fe1ac0d563477b1d10d49a92237e3f3d74e7be [diff] [blame]
diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
index f306e67..7aaf28b 100644
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c

@@ -733,7 +733,7 @@ EXPORT_SYMBOL_GPL(rc_keydown_notimeout);
 static int rc_validate_filter(struct rc_dev *dev,
 			      struct rc_scancode_filter *filter)
 {
-	static u32 masks[] = {
+	static const u32 masks[] = {
 		[RC_TYPE_RC5] = 0x1f7f,
 		[RC_TYPE_RC5X_20] = 0x1f7f3f,
 		[RC_TYPE_RC5_SZ] = 0x2fff,
@@ -757,6 +757,9 @@ static int rc_validate_filter(struct rc_dev *dev,
 	u32 s = filter->data;
 	enum rc_type protocol = dev->wakeup_protocol;
 
+	if (protocol >= ARRAY_SIZE(masks))
+		return -EINVAL;
+
 	switch (protocol) {
 	case RC_TYPE_NECX:
 		if ((((s >> 16) ^ ~(s >> 8)) & 0xff) == 0)
commit	2168b416c8326cc2edff9d986feebc569cf9ec10	[log] [tgz]
author	Sean Young <sean@mess.org>	Mon Aug 07 09:21:29 2017 -0400
committer	Mauro Carvalho Chehab <mchehab@s-opensource.com>	Sun Aug 20 09:57:54 2017 -0400
tree	f919b0e514ef8b181e89eea8c72e1b459f3e4064
parent	86fe1ac0d563477b1d10d49a92237e3f3d74e7be [diff] [blame]