The following issues were found
drivers/media/platform/aspeed-video.c
3 issues
Line: 409
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ASPEED_VIDEO_JPEG_NUM_QUALITIES; i++) {
base = 256 * i; /* AST HW requires this header spacing */
memcpy(&table[base], aspeed_video_jpeg_header,
sizeof(aspeed_video_jpeg_header));
base += ASPEED_VIDEO_JPEG_HEADER_SIZE;
memcpy(&table[base], aspeed_video_jpeg_dct[i],
sizeof(aspeed_video_jpeg_dct[i]));
Reported by FlawFinder.
Line: 413
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(aspeed_video_jpeg_header));
base += ASPEED_VIDEO_JPEG_HEADER_SIZE;
memcpy(&table[base], aspeed_video_jpeg_dct[i],
sizeof(aspeed_video_jpeg_dct[i]));
base += ASPEED_VIDEO_JPEG_DCT_SIZE;
memcpy(&table[base], aspeed_video_jpeg_quant,
sizeof(aspeed_video_jpeg_quant));
Reported by FlawFinder.
Line: 417
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(aspeed_video_jpeg_dct[i]));
base += ASPEED_VIDEO_JPEG_DCT_SIZE;
memcpy(&table[base], aspeed_video_jpeg_quant,
sizeof(aspeed_video_jpeg_quant));
if (yuv420)
table[base + 2] = 0x00220103;
}
Reported by FlawFinder.
drivers/media/platform/davinci/vpfe_capture.c
3 issues
Line: 96
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This make sure vpfe is probed and ready to go */
int vpfe_probed;
/* name of ccdc device */
char name[32];
};
/* data structures */
static struct vpfe_config_params config_params = {
.min_numbuffers = 3,
Reported by FlawFinder.
Line: 171
Column: 19
CWE codes:
362
int ret = 0;
printk(KERN_NOTICE "vpfe_register_ccdc_device: %s\n", dev->name);
if (!dev->hw_ops.open ||
!dev->hw_ops.enable ||
!dev->hw_ops.set_hw_if_params ||
!dev->hw_ops.configure ||
!dev->hw_ops.set_buftype ||
!dev->hw_ops.get_buftype ||
Reported by FlawFinder.
Line: 400
Column: 25
CWE codes:
362
ret = -ENODEV;
goto unlock;
}
ret = ccdc_dev->hw_ops.open(vpfe_dev->pdev);
if (!ret)
vpfe_dev->initialized = 1;
/* Clear all VPFE/CCDC interrupts */
if (vpfe_dev->cfg->clr_intr)
Reported by FlawFinder.
drivers/media/platform/davinci/vpif_capture.c
3 issues
Line: 504
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (config->hd_sd == 0) {
vpif_dbg(2, debug, "SD format\n");
if (config->stdid & vid_ch->stdid) {
memcpy(std_info, config, sizeof(*config));
break;
}
} else {
vpif_dbg(2, debug, "HD format\n");
if (!memcmp(&config->dv_timings, &vid_ch->dv_timings,
Reported by FlawFinder.
Line: 511
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vpif_dbg(2, debug, "HD format\n");
if (!memcmp(&config->dv_timings, &vid_ch->dv_timings,
sizeof(vid_ch->dv_timings))) {
memcpy(std_info, config, sizeof(*config));
break;
}
}
}
Reported by FlawFinder.
Line: 878
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (input->index >= chan_cfg->input_count)
return -EINVAL;
memcpy(input, &chan_cfg->inputs[input->index].input,
sizeof(*input));
return 0;
}
/**
Reported by FlawFinder.
drivers/media/platform/exynos4-is/fimc-is.h
3 issues
Line: 181
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *vaddr;
unsigned int size;
char info[FIMC_IS_FW_INFO_LEN + 1];
char version[FIMC_IS_FW_VER_LEN + 1];
char setfile_info[FIMC_IS_SETFILE_INFO_LEN + 1];
u8 state;
};
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int size;
char info[FIMC_IS_FW_INFO_LEN + 1];
char version[FIMC_IS_FW_VER_LEN + 1];
char setfile_info[FIMC_IS_SETFILE_INFO_LEN + 1];
u8 state;
};
struct fimc_is_memory {
Reported by FlawFinder.
Line: 183
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char info[FIMC_IS_FW_INFO_LEN + 1];
char version[FIMC_IS_FW_VER_LEN + 1];
char setfile_info[FIMC_IS_SETFILE_INFO_LEN + 1];
u8 state;
};
struct fimc_is_memory {
/* DMA base address */
Reported by FlawFinder.
drivers/media/platform/mtk-vcodec/venc/venc_vp8_if.c
3 issues
Line: 198
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
handler = inst->vpu_inst.ctx->dev->fw_handler;
tmp_va = mtk_vcodec_fw_map_dm_addr(handler,
wb[i].vpua);
memcpy(inst->work_bufs[i].va, tmp_va, wb[i].size);
}
wb[i].iova = inst->work_bufs[i].dma_addr;
mtk_vcodec_debug(inst,
"work_bufs[%d] va=0x%p,iova=%pad,size=%zu",
Reported by FlawFinder.
Line: 286
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
memmove(bs_buf->va + bs_hdr_len + ac_tag_size,
bs_buf->va, bs_frm_size);
memcpy(bs_buf->va + ac_tag_size,
inst->work_bufs[VENC_VP8_VPU_WORK_BUF_BS_HEADER].va,
bs_hdr_len);
memcpy(bs_buf->va, ac_tag, ac_tag_size);
*bs_size = bs_frm_size + bs_hdr_len + ac_tag_size;
Reported by FlawFinder.
Line: 289
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(bs_buf->va + ac_tag_size,
inst->work_bufs[VENC_VP8_VPU_WORK_BUF_BS_HEADER].va,
bs_hdr_len);
memcpy(bs_buf->va, ac_tag, ac_tag_size);
*bs_size = bs_frm_size + bs_hdr_len + ac_tag_size;
return 0;
}
Reported by FlawFinder.
drivers/media/platform/sti/hva/hva-h264.c
3 issues
Line: 444
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
type = PICTURE_CODING_TYPE_P;
memcpy(slice_header_addr, slice_header, sizeof(slice_header));
*header_size = 56;
*header_offset0 = 40;
*header_offset1 = 13;
*header_offset2 = 0;
Reported by FlawFinder.
Line: 505
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* start code */
memcpy(addr + *size, start, sizeof(start));
*size += sizeof(start);
/* nal_unit_type */
addr[*size] = NALU_TYPE_FILLER_DATA;
*size += 1;
Reported by FlawFinder.
Line: 532
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 msg = 0;
/* start code */
memcpy(addr + *size, start, sizeof(start));
*size += sizeof(start);
/* nal_unit_type */
addr[*size] = NALU_TYPE_SEI;
*size += 1;
Reported by FlawFinder.
drivers/media/rc/ir_toy.c
3 issues
Line: 75
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint sw_version;
uint proto_version;
char phys[64];
};
static void irtoy_response(struct irtoy *irtoy, u32 len)
{
switch (irtoy->state) {
Reported by FlawFinder.
Line: 180
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_dbg(irtoy->dev, "remaining:%u sending:%u\n",
irtoy->tx_len, buf_len);
memcpy(irtoy->out, irtoy->tx_buf, buf_len);
irtoy->urb_out->transfer_buffer_length = buf_len;
err = usb_submit_urb(irtoy->urb_out, GFP_ATOMIC);
if (err != 0) {
dev_err(irtoy->dev, "fail to submit tx buf urb: %d\n",
err);
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
irtoy->state = state;
memcpy(irtoy->out, cmd, cmd_len);
irtoy->urb_out->transfer_buffer_length = cmd_len;
err = usb_submit_urb(irtoy->urb_out, GFP_KERNEL);
if (err != 0)
return err;
Reported by FlawFinder.
drivers/media/test-drivers/vim2m.c
3 issues
Line: 274
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int x, depth = q_data_out->fmt->depth >> 3;
if (!reverse) {
memcpy(dst, src, q_data_out->width * depth);
} else {
for (x = 0; x < q_data_out->width >> 1; x++) {
memcpy(dst, src, depth);
memcpy(dst + depth, src - depth, depth);
src -= depth << 1;
Reported by FlawFinder.
Line: 277
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst, src, q_data_out->width * depth);
} else {
for (x = 0; x < q_data_out->width >> 1; x++) {
memcpy(dst, src, depth);
memcpy(dst + depth, src - depth, depth);
src -= depth << 1;
dst += depth << 1;
}
return;
Reported by FlawFinder.
Line: 278
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
for (x = 0; x < q_data_out->width >> 1; x++) {
memcpy(dst, src, depth);
memcpy(dst + depth, src - depth, depth);
src -= depth << 1;
dst += depth << 1;
}
return;
}
Reported by FlawFinder.
drivers/media/tuners/mxl5005s.c
3 issues
Line: 340
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mxl5005s_SetRfFreqHz(struct dvb_frontend *fe, unsigned long RfFreqHz)
{
struct mxl5005s_state *state = fe->tuner_priv;
unsigned char AddrTable[MXL5005S_REG_WRITING_TABLE_LEN_MAX];
unsigned char ByteTable[MXL5005S_REG_WRITING_TABLE_LEN_MAX];
int TableLen;
u32 IfDivval = 0;
unsigned char MasterControlByte;
Reported by FlawFinder.
Line: 341
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mxl5005s_state *state = fe->tuner_priv;
unsigned char AddrTable[MXL5005S_REG_WRITING_TABLE_LEN_MAX];
unsigned char ByteTable[MXL5005S_REG_WRITING_TABLE_LEN_MAX];
int TableLen;
u32 IfDivval = 0;
unsigned char MasterControlByte;
Reported by FlawFinder.
Line: 4125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
printk(KERN_INFO "MXL5005S: Attached at address 0x%02x\n",
config->i2c_address);
memcpy(&fe->ops.tuner_ops, &mxl5005s_tuner_ops,
sizeof(struct dvb_tuner_ops));
fe->tuner_priv = state;
return fe;
}
Reported by FlawFinder.
drivers/media/usb/airspy/airspy.c
3 issues
Line: 192
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* write request */
if (!(requesttype & USB_DIR_IN))
memcpy(s->buf, data, size);
ret = usb_control_msg(s->udev, pipe, request, requesttype, value,
index, s->buf, size, 1000);
airspy_dbg_usb_control_msg(s->dev, request, requesttype, value,
index, s->buf, size);
Reported by FlawFinder.
Line: 206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read request */
if (requesttype & USB_DIR_IN)
memcpy(data, s->buf, size);
return 0;
err:
return ret;
}
Reported by FlawFinder.
Line: 237
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int dst_len;
if (s->pixelformat == V4L2_SDR_FMT_RU12LE) {
memcpy(dst, src, src_len);
dst_len = src_len;
} else {
dst_len = 0;
}
Reported by FlawFinder.