The following issues were found
drivers/media/pci/cx88/cx88-blackbird.c
3 issues
Line: 799
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct cx88_core *core = dev->core;
strscpy(cap->driver, "cx88_blackbird", sizeof(cap->driver));
sprintf(cap->bus_info, "PCI:%s", pci_name(dev->pci));
return cx88_querycap(file, core, cap);
}
static int vidioc_enum_fmt_vid_cap(struct file *file, void *priv,
struct v4l2_fmtdesc *f)
Reported by FlawFinder.
Line: 440
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int blackbird_load_firmware(struct cx8802_dev *dev)
{
static const unsigned char magic[8] = {
0xa7, 0x0d, 0x00, 0x00, 0x66, 0xbb, 0x55, 0xaa
};
const struct firmware *firmware;
int i, retval = 0;
u32 value = 0;
Reported by FlawFinder.
Line: 918
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct cx8802_dev *dev = video_drvdata(file);
struct cx88_core *core = dev->core;
char name[32 + 2];
snprintf(name, sizeof(name), "%s/2", core->name);
call_all(core, core, log_status);
v4l2_ctrl_handler_log_status(&dev->cxhdl.hdl, name);
return 0;
Reported by FlawFinder.
drivers/media/pci/ivtv/ivtv-alsa-pcm.c
3 issues
Line: 101
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (oldptr + length >= runtime->buffer_size) {
unsigned int cnt =
runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
cnt * stride);
memcpy(runtime->dma_area, pcm_data + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
Reported by FlawFinder.
Line: 103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
runtime->buffer_size - oldptr;
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
cnt * stride);
memcpy(runtime->dma_area, pcm_data + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
length * stride);
}
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(runtime->dma_area, pcm_data + cnt * stride,
length * stride - cnt * stride);
} else {
memcpy(runtime->dma_area + oldptr * stride, pcm_data,
length * stride);
}
snd_pcm_stream_lock(substream);
itvsc->hwptr_done_capture += length;
Reported by FlawFinder.
drivers/media/pci/ivtv/ivtv-i2c.c
3 issues
Line: 140
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int get_key_adaptec(struct IR_i2c *ir, enum rc_proto *protocol,
u32 *scancode, u8 *toggle)
{
unsigned char keybuf[4];
keybuf[0] = 0x00;
i2c_master_send(ir->c, keybuf, 1);
/* poll IR chip */
if (i2c_master_recv(ir->c, keybuf, sizeof(keybuf)) != sizeof(keybuf)) {
Reported by FlawFinder.
Line: 708
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
itv->i2c_algo.data = itv;
itv->i2c_adap.algo_data = &itv->i2c_algo;
sprintf(itv->i2c_adap.name + strlen(itv->i2c_adap.name), " #%d",
itv->instance);
i2c_set_adapdata(&itv->i2c_adap, &itv->v4l2_dev);
itv->i2c_client = ivtv_i2c_client_template;
itv->i2c_client.adapter = &itv->i2c_adap;
Reported by FlawFinder.
Line: 708
Column: 31
CWE codes:
126
itv->i2c_algo.data = itv;
itv->i2c_adap.algo_data = &itv->i2c_algo;
sprintf(itv->i2c_adap.name + strlen(itv->i2c_adap.name), " #%d",
itv->instance);
i2c_set_adapdata(&itv->i2c_adap, &itv->v4l2_dev);
itv->i2c_client = ivtv_i2c_client_template;
itv->i2c_client.adapter = &itv->i2c_adap;
Reported by FlawFinder.
drivers/media/pci/ivtv/ivtv-irq.c
3 issues
Line: 289
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (offset) {
buf->bytesused -= offset;
memcpy(buf->buf, buf->buf + offset, buf->bytesused + offset);
}
*u32buf = cpu_to_le32(s->dma_backup);
}
x++;
/* flag byteswap ABCD -> DCBA for MPG & VBI data outside irq */
Reported by FlawFinder.
Line: 486
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
s->dma_xfer_cnt++;
memcpy(s->sg_processing, s->sg_pending, sizeof(struct ivtv_sg_host_element) * s->sg_pending_size);
s->sg_processing_size = s->sg_pending_size;
s->sg_pending_size = 0;
s->sg_processed = 0;
s->dma_offset = s->pending_offset;
s->dma_backup = s->pending_backup;
Reported by FlawFinder.
Line: 515
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (s->q_predma.bytesused)
ivtv_queue_move(s, &s->q_predma, NULL, &s->q_dma, s->q_predma.bytesused);
s->dma_xfer_cnt++;
memcpy(s->sg_processing, s->sg_pending, sizeof(struct ivtv_sg_host_element) * s->sg_pending_size);
s->sg_processing_size = s->sg_pending_size;
s->sg_pending_size = 0;
s->sg_processed = 0;
IVTV_DEBUG_HI_DMA("start DMA for %s\n", s->name);
Reported by FlawFinder.
drivers/media/pci/ngene/ngene-dvb.c
3 issues
Line: 141
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return -1;
for (i = 0; i < l; i++) {
if (((char *)buf)[i] == 0x47) {
if (!memcmp(buf + i, fill_ts, sizeof(fill_ts)))
return i % 188;
}
}
Reported by FlawFinder.
Line: 190
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* send it to the DVB ringbuffer afterwards.
*/
if (chan->tsin_offset) {
memcpy(&chan->tsin_buffer[(188 - chan->tsin_offset)],
buf, chan->tsin_offset);
tsin_copy_stripped(dev, &chan->tsin_buffer);
buf += chan->tsin_offset;
len -= chan->tsin_offset;
Reported by FlawFinder.
Line: 242
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* will be appended in the next tsin_exchange() iteration.
*/
if (len > 0 && len < 188)
memcpy(&chan->tsin_buffer, buf, len);
return NULL;
}
if (chan->users > 0)
Reported by FlawFinder.
drivers/media/pci/saa7134/saa7134-video.c
3 issues
Line: 1481
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strscpy(cap->driver, "saa7134", sizeof(cap->driver));
strscpy(cap->card, saa7134_boards[dev->board].name,
sizeof(cap->card));
sprintf(cap->bus_info, "PCI:%s", pci_name(dev->pci));
cap->capabilities = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
V4L2_CAP_RADIO | V4L2_CAP_VIDEO_CAPTURE |
V4L2_CAP_VBI_CAPTURE | V4L2_CAP_DEVICE_CAPS;
if (dev->tuner_type != TUNER_ABSENT && dev->tuner_type != UNSET)
cap->capabilities |= V4L2_CAP_TUNER;
Reported by FlawFinder.
Line: 1288
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
f->fmt.win.clipcount = clipcount;
for (i = 0; i < clipcount; i++) {
memcpy(&f->fmt.win.clips[i].c, &dev->clips[i].c,
sizeof(struct v4l2_rect));
}
return 0;
}
Reported by FlawFinder.
Line: 1400
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev->win = f->fmt.win;
dev->nclips = f->fmt.win.clipcount;
memcpy(dev->clips, f->fmt.win.clips,
sizeof(struct v4l2_clip) * dev->nclips);
if (priv == dev->overlay_owner) {
spin_lock_irqsave(&dev->slock, flags);
stop_preview(dev);
Reported by FlawFinder.
drivers/media/pci/solo6x10/solo6x10-v4l2-enc.c
3 issues
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(solo_enc->vop, vop, vop_len);
/* Some fixups for 6010/M4V */
if (solo_dev->type == SOLO_DEV_6010) {
u16 fps = solo_dev->fps * 1000;
u16 interval = solo_enc->interval * 1000;
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vop[SOF0_START + 7] = 0xff & (solo_enc->width >> 8);
vop[SOF0_START + 8] = 0xff & solo_enc->width;
memcpy(vop + DQT_START,
jpeg_dqt[solo_g_jpeg_qp(solo_dev, solo_enc->ch)], DQT_LEN);
}
static int solo_enc_on(struct solo_enc_dev *solo_enc)
{
Reported by FlawFinder.
Line: 1286
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Initialize this per encoder */
solo_enc->jpeg_len = sizeof(jpeg_header);
memcpy(solo_enc->jpeg_header, jpeg_header, solo_enc->jpeg_len);
solo_enc->desc_nelts = 32;
solo_enc->desc_items = dma_alloc_coherent(&solo_dev->pdev->dev,
sizeof(struct solo_p2m_desc) *
solo_enc->desc_nelts,
Reported by FlawFinder.
drivers/media/pci/ttpci/budget-ci.c
3 issues
Line: 84
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct budget_ci_ir {
struct rc_dev *dev;
struct tasklet_struct msp430_irq_tasklet;
char name[72]; /* 40 + 32 for (struct saa7146_dev).name */
char phys[32];
int rc5_device;
u32 ir_key;
bool have_command;
bool full_rc5; /* Outputs a full RC5 code */
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rc_dev *dev;
struct tasklet_struct msp430_irq_tasklet;
char name[72]; /* 40 + 32 for (struct saa7146_dev).name */
char phys[32];
int rc5_device;
u32 ir_key;
bool have_command;
bool full_rc5; /* Outputs a full RC5 code */
};
Reported by FlawFinder.
Line: 401
Column: 77
CWE codes:
362
}
}
static int ciintf_poll_slot_status(struct dvb_ca_en50221 *ca, int slot, int open)
{
struct budget_ci *budget_ci = (struct budget_ci *) ca->data;
unsigned int flags;
// ensure we don't get spurious IRQs during initialisation
Reported by FlawFinder.
drivers/media/pci/tw5864/tw5864-h264.c
3 issues
Line: 203
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int nal_len;
/* SPS */
memcpy(*buf, marker, sizeof(marker));
*buf += 4;
*space_left -= 4;
**buf = 0x67; /* SPS NAL header */
*buf += 1;
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*space_left -= nal_len;
/* PPS */
memcpy(*buf, marker, sizeof(marker));
*buf += 4;
*space_left -= 4;
**buf = 0x68; /* PPS NAL header */
*buf += 1;
Reported by FlawFinder.
Line: 236
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
int nal_len;
memcpy(*buf, marker, sizeof(marker));
*buf += 4;
*space_left -= 4;
/* Frame NAL header */
**buf = (frame_gop_seqno == 0) ? 0x25 : 0x21;
Reported by FlawFinder.
drivers/media/platform/allegro-dvt/nal-h264.c
3 issues
Line: 479
Column: 28
CWE codes:
120
20
if (!src)
return -EINVAL;
rbsp_init(&rbsp, src, n, &read);
nal_h264_read_start_code_prefix(&rbsp);
rbsp_bit(&rbsp, &forbidden_zero_bit);
rbsp_bits(&rbsp, 2, &nal_ref_idc);
Reported by FlawFinder.
Line: 656
Column: 28
CWE codes:
120
20
if (!src)
return -EINVAL;
rbsp_init(&rbsp, src, n, &read);
nal_h264_read_start_code_prefix(&rbsp);
rbsp_bit(&rbsp, &forbidden_zero_bit);
rbsp_bits(&rbsp, 2, &nal_ref_idc);
Reported by FlawFinder.