The following issues were found
drivers/media/test-drivers/vivid/vivid-vid-out.c
4 issues
Line: 861
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EFAULT;
}
if (clipcount && win->clips)
memcpy(win->clips, dev->clips_out,
clipcount * sizeof(dev->clips_out[0]));
return 0;
}
int vidioc_try_fmt_vid_out_overlay(struct file *file, void *priv,
Reported by FlawFinder.
Line: 892
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (win->clipcount > MAX_CLIPS)
win->clipcount = MAX_CLIPS;
if (win->clipcount) {
memcpy(dev->try_clips_out, win->clips,
win->clipcount * sizeof(dev->clips_out[0]));
for (i = 0; i < win->clipcount; i++) {
struct v4l2_rect *r = &dev->try_clips_out[i].c;
r->top = clamp_t(s32, r->top, 0, dev->display_height - 1);
Reported by FlawFinder.
Line: 916
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
}
memcpy(win->clips, dev->try_clips_out,
win->clipcount * sizeof(dev->clips_out[0]));
}
return 0;
}
Reported by FlawFinder.
Line: 953
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->bitmap_out = new_bitmap;
dev->clipcount_out = win->clipcount;
if (dev->clipcount_out)
memcpy(dev->clips_out, dev->try_clips_out, clips_size);
dev->chromakey_out = win->chromakey;
dev->global_alpha_out = win->global_alpha;
return ret;
}
Reported by FlawFinder.
drivers/media/v4l2-core/v4l2-ctrls-api.c
4 issues
Line: 875
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* It's a driver bug if this happens. */
if (WARN_ON(ctrl->type != type))
return -EINVAL;
memcpy(ctrl->p_new.p, p, ctrl->elems * ctrl->elem_size);
return set_ctrl(NULL, ctrl, 0);
}
EXPORT_SYMBOL(__v4l2_ctrl_s_ctrl_compound);
/*
Reported by FlawFinder.
Line: 1023
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qc->elem_size = ctrl->elem_size;
qc->elems = ctrl->elems;
qc->nr_of_dims = ctrl->nr_of_dims;
memcpy(qc->dims, ctrl->dims, qc->nr_of_dims * sizeof(qc->dims[0]));
qc->minimum = ctrl->minimum;
qc->maximum = ctrl->maximum;
qc->default_value = ctrl->default_value;
if (ctrl->type == V4L2_CTRL_TYPE_MENU ||
ctrl->type == V4L2_CTRL_TYPE_INTEGER_MENU)
Reported by FlawFinder.
Line: 52
Column: 9
CWE codes:
126
switch (ctrl->type) {
case V4L2_CTRL_TYPE_STRING:
len = strlen(ptr.p_char);
if (c->size < len + 1) {
c->size = ctrl->elem_size;
return -ENOSPC;
}
return copy_to_user(c->string, ptr.p_char, len + 1) ?
Reported by FlawFinder.
Line: 139
Column: 8
CWE codes:
126
* If the string was longer than ctrl->maximum,
* then return an error.
*/
if (strlen(ptr.p_char) == ctrl->maximum && last)
return -ERANGE;
}
return ret;
default:
*ptr.p_s32 = c->value;
Reported by FlawFinder.
drivers/media/tuners/tda18218.c
4 issues
Line: 41
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg[0].len = 1 + len2;
buf[0] = reg + len - remaining;
memcpy(&buf[1], &val[len - remaining], len2);
ret = i2c_transfer(priv->i2c, msg, 1);
if (ret != 1)
break;
}
Reported by FlawFinder.
Line: 87
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = i2c_transfer(priv->i2c, msg, 2);
if (ret == 2) {
memcpy(val, &buf[reg], len);
ret = 0;
} else {
dev_warn(&priv->i2c->dev, "%s: i2c rd failed=%d reg=%02x " \
"len=%d\n", KBUILD_MODNAME, ret, reg, len);
ret = -EREMOTEIO;
Reported by FlawFinder.
Line: 319
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"%s: NXP TDA18218HN successfully identified\n",
KBUILD_MODNAME);
memcpy(&fe->ops.tuner_ops, &tda18218_tuner_ops,
sizeof(struct dvb_tuner_ops));
memcpy(priv->regs, def_regs, sizeof(def_regs));
/* loop-through enabled chip default register values */
if (priv->cfg->loop_through) {
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&fe->ops.tuner_ops, &tda18218_tuner_ops,
sizeof(struct dvb_tuner_ops));
memcpy(priv->regs, def_regs, sizeof(def_regs));
/* loop-through enabled chip default register values */
if (priv->cfg->loop_through) {
priv->regs[R17_PD1] = 0xb0;
priv->regs[R18_PD2] = 0x59;
Reported by FlawFinder.
drivers/media/usb/uvc/uvcvideo.h
4 issues
Line: 319
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
u16 id;
u16 type;
char name[64];
u8 guid[16];
/* Media controller-related fields. */
struct video_device *vdev;
struct v4l2_subdev subdev;
Reported by FlawFinder.
Line: 408
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 fcc;
u32 flags;
char name[32];
unsigned int nframes;
struct uvc_frame *frame;
};
Reported by FlawFinder.
Line: 674
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long warnings;
u32 quirks;
int intfnum;
char name[32];
const struct uvc_device_info *info;
struct mutex lock; /* Protects users */
unsigned int users;
Reported by FlawFinder.
Line: 702
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct urb *int_urb;
u8 *status;
struct input_dev *input;
char input_phys[64];
struct uvc_ctrl_work {
struct work_struct work;
struct urb *urb;
struct uvc_video_chain *chain;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/gp8psk.c
4 issues
Line: 26
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr);
struct gp8psk_state {
unsigned char data[80];
};
static int gp8psk_usb_in_op(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
Reported by FlawFinder.
Line: 57
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -EIO;
} else {
ret = 0;
memcpy(b, st->data, blen);
}
deb_xfer("in: req. %x, val: %x, ind: %x, buffer: ",req,value,index);
debug_dump(b,blen,deb_xfer);
Reported by FlawFinder.
Line: 83
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((ret = mutex_lock_interruptible(&d->usb_mutex)))
return ret;
memcpy(st->data, b, blen);
if (usb_control_msg(d->udev,
usb_sndctrlpipe(d->udev,0),
req,
USB_TYPE_VENDOR | USB_DIR_OUT,
value, index, st->data, blen,
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_free;
}
memcpy(buf, ptr, buflen);
if (dvb_usb_generic_write(d, buf, buflen)) {
err("failed to load bcm4500 firmware.");
goto out_free;
}
ptr += buflen;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/vp702x-fe.c
4 issues
Line: 228
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd = dst->buf;
cmd[1] = SET_DISEQC_CMD;
cmd[2] = m->msg_len;
memcpy(&cmd[3], m->msg, m->msg_len);
cmd[7] = vp702x_chksum(cmd, 0, 7);
vp702x_usb_inout_op(st->d, cmd, 8, cmd, 10, 100);
if (cmd[2] == 0 && cmd[3] == 0)
Reported by FlawFinder.
Line: 271
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&dst->buf_mutex);
buf = dst->buf;
memcpy(buf, st->lnb_buf, 8);
vp702x_usb_inout_op(st->d, buf, 8, buf, 10, 100);
if (buf[2] == 0 && buf[3] == 0)
deb_fe("set_tone cmd failed.\n");
else
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&dst->buf_mutex);
buf = dst->buf;
memcpy(buf, st->lnb_buf, 8);
vp702x_usb_inout_op(st->d, buf, 8, buf, 10, 100);
if (buf[2] == 0 && buf[3] == 0)
deb_fe("set_voltage cmd failed.\n");
else
Reported by FlawFinder.
Line: 332
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s->d = d;
memcpy(&s->fe.ops,&vp702x_fe_ops,sizeof(struct dvb_frontend_ops));
s->fe.demodulator_priv = s;
s->lnb_buf[1] = SET_LNB_POWER;
s->lnb_buf[3] = 0xff; /* 0=tone burst, 2=data burst, ff=off */
Reported by FlawFinder.
drivers/media/platform/rcar_jpu.c
4 issues
Line: 358
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
[JPU_JPEG_PADDING_OFFSET ... JPU_JPEG_HDR_SIZE - 1] = 0xff \
}
static unsigned char jpeg_hdrs[JPU_MAX_QUALITY][JPU_JPEG_HDR_SIZE] = {
[0 ... JPU_MAX_QUALITY - 1] = JPU_JPEG_HDR_BLOB
};
static const unsigned int qtbl_lum[JPU_MAX_QUALITY][QTBL_SIZE] = {
{
Reported by FlawFinder.
Line: 448
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0xf1f2f3f4, 0xf5f6f7f8, 0xf9fa0000
};
static const char *error_to_text[16] = {
"Normal",
"SOI not detected",
"SOF1 to SOFF detected",
"Subsampling not detected",
"SOF accuracy error",
Reported by FlawFinder.
Line: 1139
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buffer = vb2_plane_vaddr(vb, 0);
memcpy(buffer, jpeg_hdrs[jpu_buf->compr_quality], JPU_JPEG_HDR_SIZE);
*(__be16 *)(buffer + JPU_JPEG_HEIGHT_OFFSET) =
cpu_to_be16(q_data->format.height);
*(__be16 *)(buffer + JPU_JPEG_WIDTH_OFFSET) =
cpu_to_be16(q_data->format.width);
*(buffer + JPU_JPEG_SUBS_OFFSET) = q_data->fmtinfo->subsampling;
Reported by FlawFinder.
Line: 1649
Column: 33
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* fill in quantization and Huffman tables for encoder */
for (i = 0; i < JPU_MAX_QUALITY; i++)
jpu_generate_hdr(i, (unsigned char *)jpeg_hdrs[i]);
strscpy(jpu->vfd_encoder.name, DRV_NAME, sizeof(jpu->vfd_encoder.name));
jpu->vfd_encoder.fops = &jpu_fops;
jpu->vfd_encoder.ioctl_ops = &jpu_ioctl_ops;
jpu->vfd_encoder.minor = -1;
Reported by FlawFinder.
drivers/media/tuners/xc4000.c
4 issues
Line: 45
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"16: use FM radio input 1 instead of input 2\n"
"32: use mono audio (the lower three bits are ignored)");
static char firmware_name[30];
module_param_string(firmware_name, firmware_name, sizeof(firmware_name), 0);
MODULE_PARM_DESC(firmware_name, "Firmware file name. Allows overriding the default firmware name.");
static DEFINE_MUTEX(xc4000_list_mutex);
static LIST_HEAD(hybrid_tuner_instance_list);
Reported by FlawFinder.
Line: 712
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *p, *endp;
int rc = 0;
int n, n_array;
char name[33];
const char *fname;
if (firmware_name[0] != '\0') {
fname = firmware_name;
Reported by FlawFinder.
Line: 898
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
scode_buf[0] = 0x00;
memcpy(&scode_buf[1], p, 12);
/* Enter direct-mode */
rc = xc_write_reg(priv, XREG_DIRECTSITTING_MODE, 0);
if (rc < 0) {
printk(KERN_ERR "failed to put device into direct mode!\n");
Reported by FlawFinder.
Line: 1728
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_unlock(&xc4000_list_mutex);
memcpy(&fe->ops.tuner_ops, &xc4000_tuner_ops,
sizeof(struct dvb_tuner_ops));
if (instance == 1) {
int ret;
mutex_lock(&priv->lock);
Reported by FlawFinder.
drivers/media/usb/tm6000/tm6000-video.c
4 issues
Line: 147
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* from last urb or packet */
header = dev->isoc_ctl.tmp_buf;
if (4 - dev->isoc_ctl.tmp_buf_len > 0) {
memcpy((u8 *)&header +
dev->isoc_ctl.tmp_buf_len,
ptr,
4 - dev->isoc_ctl.tmp_buf_len);
ptr += 4 - dev->isoc_ctl.tmp_buf_len;
}
Reported by FlawFinder.
Line: 158
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ptr + 3 >= endp) {
/* have incomplete header */
dev->isoc_ctl.tmp_buf_len = endp - ptr;
memcpy(&dev->isoc_ctl.tmp_buf, ptr,
dev->isoc_ctl.tmp_buf_len);
return rc;
}
/* Seek for sync */
for (; ptr < endp - 3; ptr++) {
Reported by FlawFinder.
Line: 238
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case TM6000_URB_MSG_VIDEO:
/* Fills video buffer */
if (vbuf)
memcpy(&voutp[pos], ptr, cpysize);
break;
case TM6000_URB_MSG_AUDIO: {
int i;
for (i = 0; i < cpysize; i += 2)
swab16s((u16 *)(ptr + i));
Reported by FlawFinder.
Line: 302
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (len > 0) {
cpysize = min(len, buf->vb.size-pos);
memcpy(&outp[pos], ptr, cpysize);
pos += cpysize;
ptr += cpysize;
len -= cpysize;
if (pos >= buf->vb.size) {
pos = 0;
Reported by FlawFinder.
drivers/media/radio/si4713/radio-usb-si4713.c
4 issues
Line: 251
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = start_seq[i].len;
const u8 *payload = start_seq[i].payload;
memcpy(radio->buffer + 1, payload, len);
memset(radio->buffer + len + 1, 0, BUFFER_LENGTH - 1 - len);
retval = si4713_send_startup_command(radio);
}
return retval;
Reported by FlawFinder.
Line: 300
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
radio->buffer[0] = 0x3f;
radio->buffer[1] = 0x06;
memcpy(radio->buffer + 2, payload, 3);
memcpy(radio->buffer + 5, data, len);
memset(radio->buffer + 5 + len, 0, BUFFER_LENGTH - 5 - len);
/* send the command */
retval = usb_control_msg(radio->usbdev, usb_sndctrlpipe(radio->usbdev, 0),
Reported by FlawFinder.
Line: 301
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
radio->buffer[1] = 0x06;
memcpy(radio->buffer + 2, payload, 3);
memcpy(radio->buffer + 5, data, len);
memset(radio->buffer + 5 + len, 0, BUFFER_LENGTH - 5 - len);
/* send the command */
retval = usb_control_msg(radio->usbdev, usb_sndctrlpipe(radio->usbdev, 0),
0x09, 0x21, 0x033f, 0, radio->buffer,
Reported by FlawFinder.
Line: 334
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* for it here.
*/
if (radio->buffer[1] == 0 && (radio->buffer[2] & SI4713_CTS)) {
memcpy(data, radio->buffer + 2, len);
return 0;
}
if (time_is_before_jiffies(until_jiffies)) {
/* Zero the status value, ensuring CTS isn't set */
data[0] = 0;
Reported by FlawFinder.