[PATCH 4.9 63/71] media: v4l2-tpg: array index could become negative
From: Greg Kroah-Hartman
Date: Mon Jan 07 2019 - 08:09:30 EST
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
commit e5f71a27fa12c1a1b02ad478a568e76260f1815e upstream.
text[s] is a signed char, so using that as index into the font8x16 array
can result in negative indices. Cast it to u8 to be safe.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Reported-by: syzbot+ccf0a61ed12f2a7313ee@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: <stable@xxxxxxxxxxxxxxx> # for v4.7 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
@@ -1618,7 +1618,7 @@ typedef struct { u16 __; u8 _; } __packe
unsigned s; \
\
for (s = 0; s < len; s++) { \
- u8 chr = font8x16[text[s] * 16 + line]; \
+ u8 chr = font8x16[(u8)text[s] * 16 + line]; \
\
if (hdiv == 2 && tpg->hflip) { \
pos[3] = (chr & (0x01 << 6) ? fg : bg); \