The following issues were found
drivers/media/usb/em28xx/em28xx-input.c
3 issues
Line: 62
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct em28xx_IR {
struct em28xx *dev;
struct rc_dev *rc;
char phys[32];
/* poll decoder */
int polling;
struct delayed_work work;
unsigned int full_code:1;
Reported by FlawFinder.
Line: 116
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int em28xx_get_key_em_haup(struct i2c_client *i2c_dev,
enum rc_proto *protocol, u32 *scancode)
{
unsigned char buf[2];
int size;
/* poll IR chip */
size = i2c_master_recv(i2c_dev, buf, sizeof(buf));
Reported by FlawFinder.
Line: 147
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum rc_proto *protocol,
u32 *scancode)
{
unsigned char buf[3];
/* poll IR chip */
if (i2c_master_recv(i2c_dev, buf, 3) != 3)
return -EIO;
Reported by FlawFinder.
drivers/media/usb/em28xx/em28xx-video.c
3 issues
Line: 498
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (lencopy <= 0)
return;
memcpy(startwrite, startread, lencopy);
remain -= lencopy;
while (remain > 0) {
if (v4l2->progressive)
Reported by FlawFinder.
Line: 525
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (lencopy <= 0)
break;
memcpy(startwrite, startread, lencopy);
remain -= lencopy;
}
buf->pos += len;
Reported by FlawFinder.
Line: 551
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf->top_field == 0)
offset += dev->v4l2->vbi_width * dev->v4l2->vbi_height;
memcpy(buf->vb_buf + offset, usb_buf, len);
buf->pos += len;
}
static inline void print_err_status(struct em28xx *dev,
int packet, int status)
Reported by FlawFinder.
drivers/media/usb/go7007/go7007-priv.h
3 issues
Line: 160
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int board_id;
int tuner_type;
int channel_number; /* for multi-channel boards like Adlink PCI-MPG24 */
char name[64];
struct video_device vdev;
void *boot_fw;
unsigned boot_fw_len;
struct v4l2_device v4l2_dev;
struct v4l2_ctrl_handler hdl;
Reported by FlawFinder.
Line: 220
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int motion_threshold;
int mb_threshold;
} modet[4];
unsigned char modet_map[1624];
unsigned char active_map[216];
u32 modet_event_status;
/* Video streaming */
struct mutex queue_lock;
Reported by FlawFinder.
Line: 221
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int mb_threshold;
} modet[4];
unsigned char modet_map[1624];
unsigned char active_map[216];
u32 modet_event_status;
/* Video streaming */
struct mutex queue_lock;
struct vb2_queue vidq;
Reported by FlawFinder.
drivers/media/usb/go7007/snd-go7007.c
3 issues
Line: 25
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "go7007-priv.h"
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX;
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR;
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP;
module_param_array(index, int, NULL, 0444);
module_param_array(id, charp, NULL, 0444);
module_param_array(enable, bool, NULL, 0444);
Reported by FlawFinder.
Line: 80
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (gosnd->w_idx + length > runtime->dma_bytes) {
int cpy = runtime->dma_bytes - gosnd->w_idx;
memcpy(runtime->dma_area + gosnd->w_idx, buf, cpy);
length -= cpy;
buf += cpy;
gosnd->w_idx = 0;
}
memcpy(runtime->dma_area + gosnd->w_idx, buf, length);
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf += cpy;
gosnd->w_idx = 0;
}
memcpy(runtime->dma_area + gosnd->w_idx, buf, length);
gosnd->w_idx += length;
spin_lock_irqsave(&gosnd->lock, flags);
if (gosnd->avail < runtime->period_size) {
spin_unlock_irqrestore(&gosnd->lock, flags);
return;
Reported by FlawFinder.
drivers/media/usb/gspca/gl860/gl860.c
3 issues
Line: 42
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param(AC50Hz, int, 0644);
MODULE_PARM_DESC(AC50Hz, " Does AC power frequency is 50Hz? (0/1)");
static char sensor[7];
module_param_string(sensor, sensor, sizeof(sensor), 0644);
MODULE_PARM_DESC(sensor,
" Driver sensor ('MI1320'/'MI2020'/'OV9655'/'OV2640')");
/*============================ webcam controls =============================*/
Reported by FlawFinder.
Line: 547
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pref == 0x40) { /* Send */
if (len > 0) {
memcpy(gspca_dev->usb_buf, pdata, len);
r = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
req, pref, val, index,
gspca_dev->usb_buf,
len, 400 + 200 * (len > 1));
} else {
Reported by FlawFinder.
Line: 562
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req, pref, val, index,
gspca_dev->usb_buf,
len, 400 + 200 * (len > 1));
memcpy(pdata, gspca_dev->usb_buf, len);
} else {
gspca_err(gspca_dev, "zero-length read request\n");
r = -EINVAL;
}
}
Reported by FlawFinder.
drivers/media/usb/gspca/jl2005bcd.c
3 issues
Line: 31
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* specific webcam descriptor */
struct sd {
struct gspca_dev gspca_dev; /* !! must be the first item */
unsigned char firmware_id[6];
const struct v4l2_pix_format *cap_mode;
/* Driver stuff */
struct work_struct work_struct;
u8 frame_brightness;
int block_size; /* block size of camera */
Reported by FlawFinder.
Line: 78
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
int retval;
memcpy(gspca_dev->usb_buf, command, 2);
retval = usb_bulk_msg(gspca_dev->dev,
usb_sndbulkpipe(gspca_dev->dev, 3),
gspca_dev->usb_buf, 2, NULL, 500);
if (retval < 0)
pr_err("command write [%02x] error %d\n",
Reported by FlawFinder.
Line: 309
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bytes_left = 0; /* bytes remaining in current frame. */
int data_len; /* size to use for the next read. */
int header_read = 0;
unsigned char header_sig[2] = {0x4a, 0x4c};
int act_len;
int packet_type;
int ret;
u8 *buffer;
Reported by FlawFinder.
drivers/media/usb/gspca/kinect.c
3 issues
Line: 142
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
chdr->tag = cpu_to_le16(sd->cam_tag);
chdr->len = cpu_to_le16(cmd_len / 2);
memcpy(obuf+sizeof(*chdr), cmdbuf, cmd_len);
res = kinect_write(udev, obuf, cmd_len + sizeof(*chdr));
gspca_dbg(gspca_dev, D_USBO, "Control cmd=%04x tag=%04x len=%04x: %d\n",
cmd,
sd->cam_tag, cmd_len, res);
Reported by FlawFinder.
Line: 188
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (actual_len > reply_len) {
pr_warn("send_cmd: Data buffer is %d bytes long, but got %d bytes\n",
reply_len, actual_len);
memcpy(replybuf, ibuf+sizeof(*rhdr), reply_len);
} else {
memcpy(replybuf, ibuf+sizeof(*rhdr), actual_len);
}
sd->cam_tag++;
Reported by FlawFinder.
Line: 190
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
reply_len, actual_len);
memcpy(replybuf, ibuf+sizeof(*rhdr), reply_len);
} else {
memcpy(replybuf, ibuf+sizeof(*rhdr), actual_len);
}
sd->cam_tag++;
return actual_len;
Reported by FlawFinder.
drivers/media/usb/gspca/mr97310a.c
3 issues
Line: 156
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gspca_dev->usb_buf[0] = 0x1f;
gspca_dev->usb_buf[1] = flags;
gspca_dev->usb_buf[2] = reg;
memcpy(gspca_dev->usb_buf + 3, data, len);
return mr_write(gspca_dev, len + 3);
}
static int sensor_write_regs(struct gspca_dev *gspca_dev,
Reported by FlawFinder.
Line: 506
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Note: Some of the above descriptions guessed from MR97113A driver */
memcpy(data, startup_string, 11);
if (sd->sensor_type)
data[5] = 0xbb;
switch (gspca_dev->pixfmt.width) {
case 160:
Reported by FlawFinder.
Line: 597
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
0x00, 0x50, 0xc0};
/* What some of these mean is explained in start_cif_cam(), above */
memcpy(data, startup_string, 11);
if (!sd->sensor_type) {
data[5] = 0x00;
data[10] = 0x91;
}
if (sd->sensor_type == 2) {
Reported by FlawFinder.
drivers/media/usb/gspca/sn9c2028.c
3 issues
Line: 36
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct init_command {
unsigned char instruction[6];
unsigned char to_read; /* length to read. 0 means no reply requested */
};
/* How to change the resolution of any of the VGA cams is unknown */
static const struct v4l2_pix_format vga_mode[] = {
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
command[0], command[1], command[2],
command[3], command[4], command[5]);
memcpy(gspca_dev->usb_buf, command, 6);
rc = usb_control_msg(gspca_dev->dev,
usb_sndctrlpipe(gspca_dev->dev, 0),
USB_REQ_GET_CONFIGURATION,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
2, 0, gspca_dev->usb_buf, 6, 500);
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("read4 error %d\n", rc);
return (rc < 0) ? rc : -EIO;
}
memcpy(reading, gspca_dev->usb_buf, 4);
gspca_dbg(gspca_dev, D_USBI, "read4 response %02x%02x%02x%02x\n",
reading[0], reading[1], reading[2], reading[3]);
return rc;
}
Reported by FlawFinder.
drivers/media/usb/gspca/topro.c
3 issues
Line: 948
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int height,
int width)
{
memcpy(jpeg_hdr, jpeg_head, sizeof jpeg_head);
jpeg_hdr[JPEG_HEIGHT_OFFSET + 0] = height >> 8;
jpeg_hdr[JPEG_HEIGHT_OFFSET + 1] = height;
jpeg_hdr[JPEG_HEIGHT_OFFSET + 2] = width >> 8;
jpeg_hdr[JPEG_HEIGHT_OFFSET + 3] = width;
}
Reported by FlawFinder.
Line: 1083
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count = length > BULK_OUT_SIZE - 1
? BULK_OUT_SIZE - 1 : length;
gspca_dev->usb_buf[0] = tag;
memcpy(&gspca_dev->usb_buf[1], data, count);
ret = usb_bulk_msg(dev,
usb_sndbulkpipe(dev, 3),
gspca_dev->usb_buf, count + 1,
&actual_count, 500);
if (ret < 0) {
Reported by FlawFinder.
Line: 1451
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sd->sensor == SENSOR_SOI763A)
jpeg_set_qual(sd->jpeg_hdr, jpeg_q[q]);
else
memcpy(&sd->jpeg_hdr[JPEG_QT0_OFFSET - 1],
DQT[q], sizeof DQT[0]);
}
/* set the JPEG compression quality factor */
static void setquality(struct gspca_dev *gspca_dev, s32 q)
Reported by FlawFinder.