media: m88rs6000t: avoid potential out-of-bounds reads on arrays

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

There a 3 array for-loops that don't check the upper bounds of the
index into arrays and this may lead to potential out-of-bounds
reads. Fix this by adding array size upper bounds checks to be
full safe.

Addresses-Coverity: ("Out-of-bounds read")

Link: https://lore.kernel.org/linux-media/20201007121628.20676-1-colin.king@canonical.com
Fixes: 333829110f1d ("[media] m88rs6000t: add new dvb-s/s2 tuner for integrated chip M88RS6000")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

authored by

Colin Ian King and committed by

Mauro Carvalho Chehab 5 years ago 9baa3d64 dfe59c78

+3 -3

1 changed file

expand all

drivers

media

tuners

m88rs6000t.c

+3 -3

drivers/media/tuners/m88rs6000t.c

··· 525 525 PGA2_cri = PGA2_GC >> 2; 526 526 PGA2_crf = PGA2_GC & 0x03; 527 527 528 - for (i = 0; i <= RF_GC; i++) 528 + for (i = 0; i <= RF_GC && i < ARRAY_SIZE(RFGS); i++) 529 529 RFG += RFGS[i]; 530 530 531 531 if (RF_GC == 0) ··· 537 537 if (RF_GC == 3) 538 538 RFG += 100; 539 539 540 - for (i = 0; i <= IF_GC; i++) 540 + for (i = 0; i <= IF_GC && i < ARRAY_SIZE(IFGS); i++) 541 541 IFG += IFGS[i]; 542 542 543 543 TIAG = TIA_GC * TIA_GS; 544 544 545 - for (i = 0; i <= BB_GC; i++) 545 + for (i = 0; i <= BB_GC && i < ARRAY_SIZE(BBGS); i++) 546 546 BBG += BBGS[i]; 547 547 548 548 PGA2G = PGA2_cri * PGA2_cri_GS + PGA2_crf * PGA2_crf_GS;