The following issues were found
drivers/media/dvb-frontends/mt352.c
3 issues
Line: 159
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dtv_frontend_properties *op = &fe->dtv_property_cache;
struct mt352_state* state = fe->demodulator_priv;
unsigned char buf[13];
static unsigned char tuner_go[] = { 0x5d, 0x01 };
static unsigned char fsm_go[] = { 0x5e, 0x01 };
unsigned int tps = 0;
switch (op->code_rate_HP) {
Reported by FlawFinder.
Line: 541
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* setup the state */
state->i2c = i2c;
memcpy(&state->config,config,sizeof(struct mt352_config));
/* check if the demod is there */
if (mt352_read_register(state, CHIP_ID) != ID_MT352) goto error;
/* create dvb_frontend */
Reported by FlawFinder.
Line: 547
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mt352_read_register(state, CHIP_ID) != ID_MT352) goto error;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &mt352_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error:
kfree(state);
Reported by FlawFinder.
drivers/media/dvb-frontends/or51211.c
3 issues
Line: 229
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int or51211_read_status(struct dvb_frontend *fe, enum fe_status *status)
{
struct or51211_state* state = fe->demodulator_priv;
unsigned char rec_buf[2];
unsigned char snd_buf[] = {0x04,0x00,0x03,0x00};
*status = 0;
/* Receiver Status */
if (i2c_writebytes(state,state->config->demod_address,snd_buf,3)) {
Reported by FlawFinder.
Line: 355
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct or51211_config* config = state->config;
const struct firmware* fw;
unsigned char get_ver_buf[] = {0x04,0x00,0x30,0x00,0x00};
unsigned char rec_buf[14];
int ret,i;
if (!state->initialized) {
/* Request the firmware, this will block until it uploads */
pr_info("Waiting for firmware upload (%s)...\n",
Reported by FlawFinder.
Line: 515
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->current_frequency = 0;
/* Create dvb_frontend */
memcpy(&state->frontend.ops, &or51211_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
}
static const struct dvb_frontend_ops or51211_ops = {
Reported by FlawFinder.
drivers/media/dvb-frontends/si21xx.c
3 issues
Line: 238
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
msg.buf[0] = reg1;
memcpy(msg.buf + 1, data, len);
ret = i2c_transfer(state->i2c, &msg, 1);
if (ret != 1)
dprintk("%s: writereg error (reg1 == 0x%02x, data == 0x%02x, ret == %i)\n",
Reported by FlawFinder.
Line: 728
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rf_freq;
int data_rate;
unsigned char regs[4];
dprintk("%s : FE_SET_FRONTEND\n", __func__);
if (c->delivery_system != SYS_DVBS) {
dprintk("%s: unsupported delivery system selected (%d)\n",
Reported by FlawFinder.
Line: 930
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &si21xx_ops,
sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error:
Reported by FlawFinder.
drivers/media/dvb-frontends/stv0288.c
3 issues
Line: 113
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct stv0288_state *state = fe->demodulator_priv;
unsigned int temp;
unsigned char b[3];
if ((srate < 1000000) || (srate > 45000000))
return -EINVAL;
stv0288_writeregI(state, 0x22, 0);
Reported by FlawFinder.
Line: 444
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dtv_frontend_properties *c = &fe->dtv_property_cache;
char tm;
unsigned char tda[3];
u8 reg, time_out = 0;
dprintk("%s : FE_SET_FRONTEND\n", __func__);
if (c->delivery_system != SYS_DVBS) {
Reported by FlawFinder.
Line: 584
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &stv0288_ops,
sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
error:
Reported by FlawFinder.
drivers/media/dvb-frontends/tda10048.c
3 issues
Line: 268
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
*buf = reg;
memcpy(buf + 1, data, len);
msg.addr = config->demod_address;
msg.flags = 0;
msg.buf = buf;
msg.len = len + 1;
Reported by FlawFinder.
Line: 1096
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
/* setup the state and clone the config */
memcpy(&state->config, config, sizeof(*config));
state->i2c = i2c;
state->fwloaded = config->no_firmware;
state->bandwidth = 8000000;
/* check if the demod is present */
Reported by FlawFinder.
Line: 1106
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
/* create dvb_frontend */
memcpy(&state->frontend.ops, &tda10048_ops,
sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
/* set pll */
if (config->set_pll) {
Reported by FlawFinder.
drivers/media/dvb-frontends/tda1004x.c
3 issues
Line: 328
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tx_size = 0x10;
// send the chunk
memcpy(buf + 1, mem + pos, tx_size);
fw_msg.len = tx_size + 1;
if (__i2c_transfer(state->i2c, &fw_msg, 1) != 1) {
printk(KERN_ERR "tda1004x: Error during firmware upload\n");
i2c_unlock_bus(state->i2c, I2C_LOCK_SEGMENT);
return -EIO;
Reported by FlawFinder.
Line: 1300
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* create dvb_frontend */
memcpy(&state->frontend.ops, &tda10045_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
}
static const struct dvb_frontend_ops tda10046_ops = {
Reported by FlawFinder.
Line: 1369
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* create dvb_frontend */
memcpy(&state->frontend.ops, &tda10046_ops, sizeof(struct dvb_frontend_ops));
state->frontend.demodulator_priv = state;
return &state->frontend;
}
module_param(debug, int, 0644);
Reported by FlawFinder.
drivers/media/dvb-frontends/tda18271c2dd.c
3 issues
Line: 137
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
data[0] = SubAddr;
memcpy(data + 1, Regs, nRegs);
return i2c_write(state->i2c, state->adr, data, nRegs + 1);
}
static int WriteReg(struct tda_state *state, u8 SubAddr, u8 Reg)
{
Reported by FlawFinder.
Line: 746
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
0xB3, 0x48, 0xB0,
};
int status = 0;
memcpy(&state->m_Regs[TM], InitRegs, EB23 - TM + 1);
do {
status = UpdateRegs(state, TM, EB23);
if (status < 0)
break;
Reported by FlawFinder.
Line: 1225
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fe->tuner_priv = state;
state->adr = adr;
state->i2c = i2c;
memcpy(&fe->ops.tuner_ops, &tuner_ops, sizeof(struct dvb_tuner_ops));
reset(state);
InitCal(state);
return fe;
}
Reported by FlawFinder.
drivers/media/firewire/firedtv-fw.c
3 issues
Line: 82
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct fw_iso_buffer buffer;
int interrupt_packet;
int current_packet;
char *pages[N_PAGES];
};
static int queue_iso(struct fdtv_ir_context *ctx, int index)
{
struct fw_iso_packet p;
Reported by FlawFinder.
Line: 255
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
{
struct firedtv *fdtv;
char name[MAX_MODEL_NAME_LEN];
int name_len, i, err;
fdtv = kzalloc(sizeof(*fdtv), GFP_KERNEL);
if (!fdtv)
return -ENOMEM;
Reported by FlawFinder.
Line: 280
Column: 7
CWE codes:
126
goto fail_free;
}
for (i = ARRAY_SIZE(model_names); --i; )
if (strlen(model_names[i]) <= name_len &&
strncmp(name, model_names[i], name_len) == 0)
break;
fdtv->type = i;
err = fdtv_register_rc(fdtv, &unit->device);
Reported by FlawFinder.
drivers/media/i2c/adv7511-v4l2.c
3 issues
Line: 528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(buffer, cri->header, sizeof(cri->header));
len = buffer[2];
if (len + 4 > sizeof(buffer)) {
v4l2_err(sd, "%s: invalid %s infoframe length %d\n", __func__, cri->desc, len);
Reported by FlawFinder.
Line: 1212
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (edid->start_block + edid->blocks > state->edid.blocks)
edid->blocks = state->edid.blocks - edid->start_block;
memcpy(edid->edid, &state->edid.data[edid->start_block * 128],
128 * edid->blocks);
return 0;
}
Reported by FlawFinder.
Line: 1454
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i == 128)
v4l2_dbg(lvl, debug, sd, "\n");
for (j = i; j < i + 16; j++) {
sprintf(bp, "0x%02x, ", buf[j]);
bp += 6;
}
bp[0] = '\0';
v4l2_dbg(lvl, debug, sd, "%s\n", b);
}
Reported by FlawFinder.
drivers/media/i2c/dw9807-vcm.c
3 issues
Line: 78
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int dw9807_set_dac(struct i2c_client *client, u16 data)
{
const char tx_data[3] = {
DW9807_MSB_ADDR, ((data >> 8) & 0x03), (data & 0xff)
};
int val, ret;
/*
Reported by FlawFinder.
Line: 241
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = to_i2c_client(dev);
struct v4l2_subdev *sd = i2c_get_clientdata(client);
struct dw9807_device *dw9807_dev = sd_to_dw9807_vcm(sd);
const char tx_data[2] = { DW9807_CTL_ADDR, 0x01 };
int ret, val;
for (val = dw9807_dev->current_val & ~(DW9807_CTRL_STEPS - 1);
val >= 0; val -= DW9807_CTRL_STEPS) {
ret = dw9807_set_dac(client, val);
Reported by FlawFinder.
Line: 273
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = to_i2c_client(dev);
struct v4l2_subdev *sd = i2c_get_clientdata(client);
struct dw9807_device *dw9807_dev = sd_to_dw9807_vcm(sd);
const char tx_data[2] = { DW9807_CTL_ADDR, 0x00 };
int ret, val;
/* Power on */
ret = i2c_master_send(client, tx_data, sizeof(tx_data));
if (ret < 0) {
Reported by FlawFinder.