The following issues were found
drivers/media/usb/pwc/pwc-ctrl.c
4 issues
Line: 59
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Formatters for the Video Endpoint controls [GS]ET_EP_STREAM_CTL */
#define VIDEO_OUTPUT_CONTROL_FORMATTER 0x0100
static const char *size2name[PSZ_MAX] =
{
"subQCIF",
"QSIF",
"QCIF",
"SIF",
Reported by FlawFinder.
Line: 83
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char alternate; /* USB alternate setting */
int compressed; /* Compressed yes/no */
unsigned char mode[3]; /* precomputed mode table */
};
static unsigned int Nala_fps_vector[PWC_FPS_MAX_NALA] = { 4, 5, 7, 10, 12, 15, 20, 24 };
static struct Nala_table_entry Nala_table[PSZ_MAX][PWC_FPS_MAX_NALA] =
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
int rc;
memcpy(pdev->ctrl_buf, buf, buflen);
rc = usb_control_msg(pdev->udev, usb_sndctrlpipe(pdev->udev, 0),
SET_EP_STREAM_CTL,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
VIDEO_OUTPUT_CONTROL_FORMATTER, index,
Reported by FlawFinder.
Line: 124
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
VIDEO_OUTPUT_CONTROL_FORMATTER, index,
pdev->ctrl_buf, buflen, USB_CTRL_SET_TIMEOUT);
if (rc >= 0)
memcpy(pdev->cmd_buf, buf, buflen);
else
PWC_ERROR("send_video_command error %d\n", rc);
return rc;
}
Reported by FlawFinder.
drivers/mtd/maps/pcmciamtd.c
4 issues
Line: 424
Column: 5
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (i)
strcat(dev->mtd_name, " ");
if (p_dev->prod_id[i])
strcat(dev->mtd_name, p_dev->prod_id[i]);
}
pr_debug("Found name: %s\n", dev->mtd_name);
}
pcmcia_loop_tuple(p_dev, CISTPL_FORMAT, pcmciamtd_cistpl_format, NULL);
Reported by FlawFinder.
Line: 39
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct map_info pcmcia_map;
struct mtd_info *mtd_info;
int vpp;
char mtd_name[sizeof(struct cistpl_vers_1_t)];
};
/* Module parameters */
Reported by FlawFinder.
Line: 452
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
dev->pcmcia_map.name = dev->mtd_name;
if(!dev->mtd_name[0]) {
strcpy(dev->mtd_name, "PCMCIA Memory card");
*new_name = 1;
}
pr_debug("Device: Size: %lu Width:%d Name: %s\n",
dev->pcmcia_map.size,
Reported by FlawFinder.
Line: 422
Column: 5
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
dev->mtd_name[0] = '\0';
for (i = 0; i < 4; i++) {
if (i)
strcat(dev->mtd_name, " ");
if (p_dev->prod_id[i])
strcat(dev->mtd_name, p_dev->prod_id[i]);
}
pr_debug("Found name: %s\n", dev->mtd_name);
}
Reported by FlawFinder.
drivers/mtd/inftlcore.c
4 issues
Line: 239
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static u16 INFTL_foldchain(struct INFTLrecord *inftl, unsigned thisVUC, unsigned pendingblock)
{
u16 BlockMap[MAX_SECTORS_PER_UNIT];
unsigned char BlockDeleted[MAX_SECTORS_PER_UNIT];
unsigned int thisEUN, prevEUN, status;
struct mtd_info *mtd = inftl->mbd.mtd;
int block, silly;
unsigned int targetEUN;
struct inftl_oob oob;
Reported by FlawFinder.
Line: 314
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
pr_debug("INFTL: folding chain %d into unit %d\n", thisVUC, targetEUN);
for (block = 0; block < inftl->EraseSize/SECTORSIZE ; block++) {
unsigned char movebuf[SECTORSIZE];
int ret;
/*
* If it's in the target EUN already, or if it's pending write,
* do nothing.
Reported by FlawFinder.
Line: 628
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void INFTL_trydeletechain(struct INFTLrecord *inftl, unsigned thisVUC)
{
struct mtd_info *mtd = inftl->mbd.mtd;
unsigned char BlockUsed[MAX_SECTORS_PER_UNIT];
unsigned char BlockDeleted[MAX_SECTORS_PER_UNIT];
unsigned int thisEUN, status;
int block, silly;
struct inftl_bci bci;
size_t retlen;
Reported by FlawFinder.
Line: 629
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mtd_info *mtd = inftl->mbd.mtd;
unsigned char BlockUsed[MAX_SECTORS_PER_UNIT];
unsigned char BlockDeleted[MAX_SECTORS_PER_UNIT];
unsigned int thisEUN, status;
int block, silly;
struct inftl_bci bci;
size_t retlen;
Reported by FlawFinder.
drivers/mtd/nand/raw/r852.c
4 issues
Line: 593
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct r852_device *dev = r852_get_dev(mtd);
char *data = dev->sm ? "smartmedia" : "xd";
strcpy(buf, data);
return strlen(data);
}
static DEVICE_ATTR_RO(media_type);
Reported by FlawFinder.
Line: 207
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dbg_verbose("dma: using bounce buffer");
dev->phys_dma_addr = dev->phys_bounce_buffer;
if (!do_read)
memcpy(dev->bounce_buffer, buf, R852_DMA_LEN);
}
/* Enable DMA */
spin_lock_irqsave(&dev->irqlock, flags);
r852_dma_enable(dev);
Reported by FlawFinder.
Line: 224
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (do_read && bounce)
memcpy((void *)buf, dev->bounce_buffer, R852_DMA_LEN);
}
/*
* Program data lines of the nand chip to send data to it
*/
Reported by FlawFinder.
Line: 594
Column: 9
CWE codes:
126
char *data = dev->sm ? "smartmedia" : "xd";
strcpy(buf, data);
return strlen(data);
}
static DEVICE_ATTR_RO(media_type);
/* Detect properties of card in slot */
Reported by FlawFinder.
drivers/media/usb/pvrusb2/pvrusb2-std.c
4 issues
Line: 286
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
template = match_std(id);
if (!template) return 0;
idx = std->index;
memcpy(std,template,sizeof(*template));
std->index = idx;
std->id = id;
bcnt = pvr2_std_id_to_str(std->name,sizeof(std->name)-1,id);
std->name[bcnt] = 0;
pvr2_trace(PVR2_TRACE_STD,"Set up standard idx=%u name=%s",
Reported by FlawFinder.
Line: 314
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct v4l2_standard *stddefs;
if (pvrusb2_debug & PVR2_TRACE_STD) {
char buf[100];
bcnt = pvr2_std_id_to_str(buf,sizeof(buf),id);
pvr2_trace(
PVR2_TRACE_STD,"Mapping standards mask=0x%x (%.*s)",
(int)id,bcnt,buf);
}
Reported by FlawFinder.
Line: 342
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fmsk &= ~CSTD_ATSC;
if (fmsk) {
char buf[100];
bcnt = pvr2_std_id_to_str(buf,sizeof(buf),fmsk);
pvr2_trace(
PVR2_TRACE_ERROR_LEGS,
"***WARNING*** Failed to classify the following standard(s): %.*s",
bcnt,buf);
Reported by FlawFinder.
Line: 113
Column: 7
CWE codes:
126
const struct std_name *p;
for (idx = 0; idx < arrSize; idx++) {
p = arrPtr + idx;
if (strlen(p->name) != bufSize) continue;
if (!memcmp(bufPtr,p->name,bufSize)) return p;
}
return NULL;
}
Reported by FlawFinder.
drivers/mtd/ubi/eba.c
4 issues
Line: 848
CWE codes:
476
*retry = true;
memcpy(ubi->peb_buf + offset, buf, len);
data_size = offset + len;
crc = crc32(UBI_CRC32_INIT, ubi->peb_buf, data_size);
vid_hdr->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
vid_hdr->copy_flag = 1;
Reported by Cppcheck.
Line: 1572
CWE codes:
908
continue;
ubi_rb_for_each_entry(rb, aeb, &av->root, u.rb)
fm_eba[i][aeb->lnum] = aeb->pnum;
for (j = 0; j < vol->reserved_pebs; j++) {
if (scan_eba[i][j] != fm_eba[i][j]) {
if (scan_eba[i][j] == UBI_LEB_UNMAPPED ||
fm_eba[i][j] == UBI_LEB_UNMAPPED)
Reported by Cppcheck.
Line: 848
CWE codes:
476
*retry = true;
memcpy(ubi->peb_buf + offset, buf, len);
data_size = offset + len;
crc = crc32(UBI_CRC32_INIT, ubi->peb_buf, data_size);
vid_hdr->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
vid_hdr->copy_flag = 1;
Reported by Cppcheck.
Line: 848
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*retry = true;
memcpy(ubi->peb_buf + offset, buf, len);
data_size = offset + len;
crc = crc32(UBI_CRC32_INIT, ubi->peb_buf, data_size);
vid_hdr->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
vid_hdr->copy_flag = 1;
Reported by FlawFinder.
drivers/media/pci/cx88/cx88-alsa.c
4 issues
Line: 963
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strscpy(card->driver, "CX88x", sizeof(card->driver));
sprintf(card->shortname, "Conexant CX%x", pci->device);
sprintf(card->longname, "%s at %#llx",
card->shortname,
(unsigned long long)pci_resource_start(pci, 0));
strscpy(card->mixername, "CX88", sizeof(card->mixername));
dprintk(0, "%s/%i: ALSA support for cx2388x boards\n",
Reported by FlawFinder.
Line: 82
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static const char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP;
module_param_array(enable, bool, NULL, 0444);
MODULE_PARM_DESC(enable, "Enable cx88x soundcard. default enabled.");
Reported by FlawFinder.
Line: 189
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* BOARD Specific: IRQ dma bits
*/
static const char *cx88_aud_irqs[32] = {
"dn_risci1", "up_risci1", "rds_dn_risc1", /* 0-2 */
NULL, /* reserved */
"dn_risci2", "up_risci2", "rds_dn_risc2", /* 4-6 */
NULL, /* reserved */
"dnf_of", "upf_uf", "rds_dnf_uf", /* 8-10 */
Reported by FlawFinder.
Line: 962
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
strscpy(card->driver, "CX88x", sizeof(card->driver));
sprintf(card->shortname, "Conexant CX%x", pci->device);
sprintf(card->longname, "%s at %#llx",
card->shortname,
(unsigned long long)pci_resource_start(pci, 0));
strscpy(card->mixername, "CX88", sizeof(card->mixername));
Reported by FlawFinder.
drivers/mtd/devices/mtd_dataflash.c
4 issues
Line: 634
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
priv->page_offset = pageoffset;
/* name must be usable with cmdlinepart */
sprintf(priv->name, "spi%d.%d-%s",
spi->master->bus_num, spi->chip_select,
name);
device = &priv->mtd;
device->name = (pdata && pdata->name) ? pdata->name : priv->name;
Reported by FlawFinder.
Line: 88
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dataflash {
u8 command[4];
char name[24];
unsigned short page_offset; /* offset in flash address */
unsigned int page_size; /* of bytes per page */
struct mutex lock;
Reported by FlawFinder.
Line: 487
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
status = spi_sync(spi, &m);
if (status >= 0) {
memcpy(buf, scratch + 4 + base + off, len);
status = len;
}
kfree(scratch);
return status;
Reported by FlawFinder.
Line: 559
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!scratch)
return -ENOMEM;
scratch[0] = OP_WRITE_SECURITY;
memcpy(scratch + 4 + from, buf, len);
spi_message_init(&m);
memset(&t, 0, sizeof t);
t.tx_buf = scratch;
Reported by FlawFinder.
drivers/mtd/devices/mchp48l640.c
4 issues
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mchp48l640_read_status(struct mchp48l640_flash *flash, int *status)
{
unsigned char cmd[2];
int ret;
cmd[0] = MCHP48L640_CMD_RDSR;
cmd[1] = 0x00;
mutex_lock(&flash->lock);
Reported by FlawFinder.
Line: 117
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mchp48l640_write_prepare(struct mchp48l640_flash *flash, bool enable)
{
unsigned char cmd[2];
int ret;
if (enable)
cmd[0] = MCHP48L640_CMD_WREN;
else
Reported by FlawFinder.
Line: 143
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mchp48l640_set_mode(struct mchp48l640_flash *flash)
{
unsigned char cmd[2];
int ret;
ret = mchp48l640_write_prepare(flash, true);
if (ret)
return ret;
Reported by FlawFinder.
Line: 189
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&flash->lock);
cmdlen = mchp48l640_mkcmd(flash, MCHP48L640_CMD_WRITE, to, cmd);
memcpy(&cmd[cmdlen], buf, len);
ret = spi_write(flash->spi, cmd, cmdlen + len);
mutex_unlock(&flash->lock);
if (!ret)
*retlen += len;
else
Reported by FlawFinder.
drivers/media/usb/au0828/au0828-input.c
4 issues
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct au0828_rc {
struct au0828_dev *dev;
struct rc_dev *rc;
char name[32];
char phys[32];
/* poll decoder */
int polling;
struct delayed_work work;
Reported by FlawFinder.
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct au0828_dev *dev;
struct rc_dev *rc;
char name[32];
char phys[32];
/* poll decoder */
int polling;
struct delayed_work work;
Reported by FlawFinder.
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *buf, int size)
{
int rc;
char obuf[3];
struct i2c_msg msg[2] = { { .addr = ir->i2c_dev_addr, .flags = 0,
.buf = obuf, .len = 2 },
{ .addr = ir->i2c_dev_addr, .flags = I2C_M_RD,
.buf = buf, .len = size } };
Reported by FlawFinder.
Line: 115
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int au0828_get_key_au8522(struct au0828_rc *ir)
{
unsigned char buf[40];
struct ir_raw_event rawir = {};
int i, j, rc;
int prv_bit, bit, width;
bool first = true;
Reported by FlawFinder.