[PATCH] media: dm1105: Limit number of cards to avoid buffer over read
From: Anton Vasilyev
Date: Wed Jul 18 2018 - 10:14:25 EST
dm1105_probe() counts number of cards at dm1105_devcount,
but missed bounds check before dereference a card array.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Anton Vasilyev <vasilyev@xxxxxxxxx>
---
drivers/media/pci/dm1105/dm1105.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/pci/dm1105/dm1105.c b/drivers/media/pci/dm1105/dm1105.c
index c9db108751a7..1ddb0576fb7b 100644
--- a/drivers/media/pci/dm1105/dm1105.c
+++ b/drivers/media/pci/dm1105/dm1105.c
@@ -986,6 +986,9 @@ static int dm1105_probe(struct pci_dev *pdev,
int ret = -ENOMEM;
int i;
+ if (dm1105_devcount >= ARRAY_SIZE(card))
+ return -ENODEV;
+
dev = kzalloc(sizeof(struct dm1105_dev), GFP_KERNEL);
if (!dev)
return -ENOMEM;
--
2.18.0