[media] ttusb_dec: avoid the risk of go past buffer
authorMauro Carvalho Chehab <mchehab@s-opensource.com>
Thu, 22 Sep 2016 17:09:18 +0000 (14:09 -0300)
committerMauro Carvalho Chehab <mchehab@s-opensource.com>
Thu, 22 Sep 2016 17:14:22 +0000 (14:14 -0300)
Fixes this smatch warning:
drivers/media/usb/ttusb-dec/ttusb_dec.c:243 ttusb_dec_handle_irq() error: buffer overflow 'rc_keys' 26 <= 126

As the RC keys should be enabled previously, via:
set_bit(rc_keys[i], input_dev->keybit);

It wouldn't go past the buffer in practice. Yet, as bad
things may happen when going past buffer, it doesn't hurt adding
a check here.

While here, fix CodingStyle issues on the routine.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/usb/ttusb-dec/ttusb_dec.c

index 4e36e24cb3a6d758f722250e47c65d2dce3e988b..4e7671a3a1e4a2408c02d1e0a8c3d57038a60571 100644 (file)
@@ -206,7 +206,7 @@ static void ttusb_dec_set_model(struct ttusb_dec *dec,
 
 static void ttusb_dec_handle_irq( struct urb *urb)
 {
-       struct ttusb_dec * dec = urb->context;
+       struct ttusb_dec *dec = urb->context;
        char *buffer = dec->irq_buffer;
        int retval;
 
@@ -227,25 +227,31 @@ static void ttusb_dec_handle_irq( struct urb *urb)
                        goto exit;
        }
 
-       if( (buffer[0] == 0x1) && (buffer[2] == 0x15) )  {
-               /* IR - Event */
-               /* this is an fact a bit too simple implementation;
+       if ((buffer[0] == 0x1) && (buffer[2] == 0x15))  {
+               /*
+                * IR - Event
+                *
+                * this is an fact a bit too simple implementation;
                 * the box also reports a keyrepeat signal
                 * (with buffer[3] == 0x40) in an intervall of ~100ms.
                 * But to handle this correctly we had to imlemenent some
                 * kind of timer which signals a 'key up' event if no
                 * keyrepeat signal is received for lets say 200ms.
                 * this should/could be added later ...
-                * for now lets report each signal as a key down and up*/
-               dprintk("%s:rc signal:%d\n", __func__, buffer[4]);
-               input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 1);
-               input_sync(dec->rc_input_dev);
-               input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 0);
-               input_sync(dec->rc_input_dev);
+                * for now lets report each signal as a key down and up
+                */
+               if (buffer[4] - 1 < ARRAY_SIZE(rc_keys)) {
+                       dprintk("%s:rc signal:%d\n", __func__, buffer[4]);
+                       input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 1);
+                       input_sync(dec->rc_input_dev);
+                       input_report_key(dec->rc_input_dev, rc_keys[buffer[4] - 1], 0);
+                       input_sync(dec->rc_input_dev);
+               }
        }
 
-exit:  retval = usb_submit_urb(urb, GFP_ATOMIC);
-       if(retval)
+exit:
+       retval = usb_submit_urb(urb, GFP_ATOMIC);
+       if (retval)
                printk("%s - usb_commit_urb failed with result: %d\n",
                        __func__, retval);
 }