media: rc: ensure we do not read out of bounds
If rc_validate_filter() is called for CEC or XMP, then we would read beyond the end of the array. Suggested-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
This commit is contained in:
parent
86fe1ac0d5
commit
2168b416c8
|
@ -733,7 +733,7 @@ EXPORT_SYMBOL_GPL(rc_keydown_notimeout);
|
|||
static int rc_validate_filter(struct rc_dev *dev,
|
||||
struct rc_scancode_filter *filter)
|
||||
{
|
||||
static u32 masks[] = {
|
||||
static const u32 masks[] = {
|
||||
[RC_TYPE_RC5] = 0x1f7f,
|
||||
[RC_TYPE_RC5X_20] = 0x1f7f3f,
|
||||
[RC_TYPE_RC5_SZ] = 0x2fff,
|
||||
|
@ -757,6 +757,9 @@ static int rc_validate_filter(struct rc_dev *dev,
|
|||
u32 s = filter->data;
|
||||
enum rc_type protocol = dev->wakeup_protocol;
|
||||
|
||||
if (protocol >= ARRAY_SIZE(masks))
|
||||
return -EINVAL;
|
||||
|
||||
switch (protocol) {
|
||||
case RC_TYPE_NECX:
|
||||
if ((((s >> 16) ^ ~(s >> 8)) & 0xff) == 0)
|
||||
|
|
Loading…
Reference in New Issue