The following issues were found
drivers/media/i2c/ir-kbd-i2c.c
3 issues
Line: 62
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_key_haup_common(struct IR_i2c *ir, enum rc_proto *protocol,
u32 *scancode, u8 *ptoggle, int size)
{
unsigned char buf[6];
int start, range, toggle, dev, code, ircode, vendor;
/* poll IR chip */
if (size != i2c_master_recv(ir->c, buf, size))
return -EIO;
Reported by FlawFinder.
Line: 143
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 *scancode, u8 *toggle)
{
int ret;
unsigned char buf[1] = { 0 };
/*
* This is the same apparent "are you ready?" poll command observed
* watching Windows driver traffic and implemented in lirc_zilog. With
* this added, we get far saner remote behavior with z8 chips on usb
Reported by FlawFinder.
Line: 183
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 *scancode, u8 *toggle)
{
int rc;
unsigned char buf[4];
/* poll IR chip */
rc = i2c_master_recv(ir->c, buf, 4);
if (rc != 4) {
dev_dbg(&ir->rc->dev, "read error\n");
Reported by FlawFinder.
drivers/media/i2c/mt9t112.c
3 issues
Line: 176
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret < 0)
return ret;
memcpy(&ret, buf, 2);
return swab16(ret);
}
static int __mt9t112_reg_write(const struct i2c_client *client,
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
command = swab16(command);
data = swab16(data);
memcpy(buf + 0, &command, 2);
memcpy(buf + 2, &data, 2);
msg.addr = client->addr;
msg.flags = 0;
msg.len = 4;
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = swab16(data);
memcpy(buf + 0, &command, 2);
memcpy(buf + 2, &data, 2);
msg.addr = client->addr;
msg.flags = 0;
msg.len = 4;
msg.buf = buf;
Reported by FlawFinder.
drivers/media/i2c/s5c73m3/s5c73m3.h
3 issues
Line: 414
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
short power;
char sensor_fw[S5C73M3_SENSOR_FW_LEN + 2];
char sensor_type[S5C73M3_SENSOR_TYPE_LEN + 2];
char fw_file_version[2];
unsigned int fw_size;
};
Reported by FlawFinder.
Line: 415
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
short power;
char sensor_fw[S5C73M3_SENSOR_FW_LEN + 2];
char sensor_type[S5C73M3_SENSOR_TYPE_LEN + 2];
char fw_file_version[2];
unsigned int fw_size;
};
struct s5c73m3_frame_size {
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char sensor_fw[S5C73M3_SENSOR_FW_LEN + 2];
char sensor_type[S5C73M3_SENSOR_TYPE_LEN + 2];
char fw_file_version[2];
unsigned int fw_size;
};
struct s5c73m3_frame_size {
u32 width;
Reported by FlawFinder.
drivers/media/i2c/saa7110.c
3 issues
Line: 93
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = i2c_master_send(client, data, len);
/* Cache the written data */
memcpy(decoder->reg + reg, data + 1, len - 1);
} else {
for (++data, --len; len; len--) {
ret = saa7110_write(sd, reg++, *data++);
if (ret < 0)
break;
Reported by FlawFinder.
Line: 122
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int saa7110_selmux(struct v4l2_subdev *sd, int chan)
{
static const unsigned char modes[9][8] = {
/* mode 0 */
{FRESP_06H_COMPST, 0xD9, 0x17, 0x40, 0x03,
0x44, 0x75, 0x16},
/* mode 1 */
{FRESP_06H_COMPST, 0xD8, 0x17, 0x40, 0x03,
Reported by FlawFinder.
Line: 167
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static const unsigned char initseq[1 + SAA7110_NR_REG] = {
0, 0x4C, 0x3C, 0x0D, 0xEF, 0xBD, 0xF2, 0x03, 0x00,
/* 0x08 */ 0xF8, 0xF8, 0x60, 0x60, 0x00, 0x86, 0x18, 0x90,
/* 0x10 */ 0x00, 0x59, 0x40, 0x46, 0x42, 0x1A, 0xFF, 0xDA,
/* 0x18 */ 0xF2, 0x8B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
/* 0x20 */ 0xD9, 0x16, 0x40, 0x41, 0x80, 0x41, 0x80, 0x4F,
Reported by FlawFinder.
drivers/media/i2c/sony-btf-mpx.c
3 issues
Line: 124
Column: 6
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
u16 fm_prescale;
u16 nicam_prescale;
u16 scart_prescale;
u16 system;
u16 volume;
} mpx_audio_modes[] = {
/* Auto */ { AUD_MONO, 0x1003, 0x0020, 0x0100, 0x2603,
0x5000, 0x0000, 0x0001, 0x7500 },
/* B/G Mono */ { AUD_MONO, 0x1003, 0x0020, 0x0100, 0x2603,
Reported by FlawFinder.
Line: 220
Column: 56
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
mpx_audio_modes[mode].nicam_prescale);
mpx_write(client, 0x12, 0x000d,
mpx_audio_modes[mode].scart_prescale);
mpx_write(client, 0x10, 0x0020, mpx_audio_modes[mode].system);
mpx_write(client, 0x12, 0x0000, mpx_audio_modes[mode].volume);
if (mpx_audio_modes[mode].audio_mode == AUD_A2)
mpx_write(client, 0x10, 0x0022,
t->audmode == V4L2_TUNER_MODE_MONO ? 0x07f0 : 0x0190);
Reported by FlawFinder.
Line: 239
Column: 26
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
mpx_audio_modes[mode].fm_prescale,
mpx_audio_modes[mode].nicam_prescale,
mpx_audio_modes[mode].scart_prescale,
mpx_audio_modes[mode].system,
mpx_audio_modes[mode].volume);
buf1[0] = 0x11;
buf1[1] = 0x00;
buf1[2] = 0x7e;
msgs[0].addr = client->addr;
Reported by FlawFinder.
drivers/media/i2c/tda1997x.c
3 issues
Line: 244
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char hdmi_status;
char mptrw_in_progress;
char activity_status;
char input_detect[2];
/* video */
struct hdmi_avi_infoframe avi_infoframe;
struct v4l2_hdmi_colorimetry colorimetry;
u32 rgb_quantization_range;
Reported by FlawFinder.
Line: 1848
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (edid->start_block + edid->blocks > state->edid.blocks)
edid->blocks = state->edid.blocks - edid->start_block;
memcpy(edid->edid, state->edid.edid + edid->start_block * 128,
edid->blocks * 128);
return 0;
}
Reported by FlawFinder.
Line: 1888
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
io_write(sd, REG_EDID_IN_BYTE128 + i, edid->edid[i+128]);
/* store state */
memcpy(state->edid.edid, edid->edid, 256);
state->edid.blocks = edid->blocks;
tda1997x_enable_edid(sd);
return 0;
Reported by FlawFinder.
drivers/media/pci/cx18/cx18-alsa-pcm.c
3 issues
Line: 104
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (oldptr + length >= runtime->buffer_size) {
unsigned int cnt =
runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
cnt * stride);
memcpy(runtime->dma_area, pcm_data + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
cnt * stride);
memcpy(runtime->dma_area, pcm_data + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
length * stride);
}
Reported by FlawFinder.
Line: 109
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(runtime->dma_area, pcm_data + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
length * stride);
}
snd_pcm_stream_lock(substream);
cxsc->hwptr_done_capture += length;
Reported by FlawFinder.
drivers/media/pci/cx18/cx18-mailbox.c
3 issues
Line: 107
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void dump_mb(struct cx18 *cx, struct cx18_mailbox *mb, char *name)
{
char argstr[MAX_MB_ARGUMENTS*11+1];
if (!(cx18_debug & CX18_DBGFLG_API))
return;
CX18_DEBUG_API("%s: req %#010x ack %#010x cmd %#010x err %#010x args%s\n",
Reported by FlawFinder.
Line: 178
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
if ((offset + buf->bytesused) <= vb_buf->vb.bsize) {
memcpy(p + offset, buf->buf, buf->bytesused);
offset += buf->bytesused;
vb_buf->bytes_used += buf->bytesused;
}
}
Reported by FlawFinder.
Line: 589
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mutex *mb_lock;
unsigned long int t0, timeout, ret;
int i;
char argstr[MAX_MB_ARGUMENTS*11+1];
DEFINE_WAIT(w);
if (info == NULL) {
CX18_WARN("unknown cmd %x\n", cmd);
return -EINVAL;
Reported by FlawFinder.
drivers/media/pci/cx23885/cx23885-417.c
3 issues
Line: 1326
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strscpy(cap->driver, dev->name, sizeof(cap->driver));
strscpy(cap->card, cx23885_boards[tsport->dev->board].name,
sizeof(cap->card));
sprintf(cap->bus_info, "PCIe:%s", pci_name(dev->pci));
cap->capabilities = V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_READWRITE |
V4L2_CAP_STREAMING | V4L2_CAP_VBI_CAPTURE |
V4L2_CAP_AUDIO | V4L2_CAP_DEVICE_CAPS;
if (dev->tuner_type != TUNER_ABSENT)
cap->capabilities |= V4L2_CAP_TUNER;
Reported by FlawFinder.
Line: 886
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cx23885_load_firmware(struct cx23885_dev *dev)
{
static const unsigned char magic[8] = {
0xa7, 0x0d, 0x00, 0x00, 0x66, 0xbb, 0x55, 0xaa
};
const struct firmware *firmware;
int i, retval = 0;
u32 value = 0;
Reported by FlawFinder.
Line: 1400
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int vidioc_log_status(struct file *file, void *priv)
{
struct cx23885_dev *dev = video_drvdata(file);
char name[32 + 2];
snprintf(name, sizeof(name), "%s/2", dev->name);
call_all(dev, core, log_status);
v4l2_ctrl_handler_log_status(&dev->cxhdl.hdl, name);
return 0;
Reported by FlawFinder.
drivers/media/pci/cx25821/cx25821-alsa.c
3 issues
Line: 748
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
strscpy(card->shortname, "cx25821", sizeof(card->shortname));
sprintf(card->longname, "%s at 0x%lx irq %d", chip->dev->name,
chip->iobase, chip->irq);
strscpy(card->mixername, "CX25821", sizeof(card->mixername));
pr_info("%s/%i: ALSA support for cx25821 boards\n", card->driver,
devno);
Reported by FlawFinder.
Line: 91
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
****************************************************************************/
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-MAX */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* ID for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP;
module_param_array(enable, bool, NULL, 0444);
MODULE_PARM_DESC(enable, "Enable cx25821 soundcard. default enabled.");
Reported by FlawFinder.
Line: 296
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* BOARD Specific: IRQ dma bits
*/
static char *cx25821_aud_irqs[32] = {
"dn_risci1", "up_risci1", "rds_dn_risc1", /* 0-2 */
NULL, /* reserved */
"dn_risci2", "up_risci2", "rds_dn_risc2", /* 4-6 */
NULL, /* reserved */
"dnf_of", "upf_uf", "rds_dnf_uf", /* 8-10 */
Reported by FlawFinder.