The following issues were found
drivers/mtd/spi-nor/core.h
2 issues
Line: 214
Column: 8
CWE codes:
120
20
* @is_locked: check if an OTP region of the SPI NOR is locked.
*/
struct spi_nor_otp_ops {
int (*read)(struct spi_nor *nor, loff_t addr, size_t len, u8 *buf);
int (*write)(struct spi_nor *nor, loff_t addr, size_t len,
const u8 *buf);
int (*lock)(struct spi_nor *nor, unsigned int region);
int (*erase)(struct spi_nor *nor, loff_t addr);
int (*is_locked)(struct spi_nor *nor, unsigned int region);
Reported by FlawFinder.
Line: 531
Column: 61
CWE codes:
120
20
int spi_nor_hwcaps_read2cmd(u32 hwcaps);
u8 spi_nor_convert_3to4_read(u8 opcode);
void spi_nor_set_read_settings(struct spi_nor_read_command *read,
u8 num_mode_clocks,
u8 num_wait_states,
u8 opcode,
enum spi_nor_protocol proto);
void spi_nor_set_pp_settings(struct spi_nor_pp_command *pp, u8 opcode,
Reported by FlawFinder.
drivers/misc/mei/dma-ring.c
2 issues
Line: 136
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t b_offset = offset << 2;
size_t b_n = n << 2;
memcpy(buf, dbuf + b_offset, b_n);
return b_n;
}
/**
Reported by FlawFinder.
Line: 156
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t b_offset = offset << 2;
size_t b_n = n << 2;
memcpy(hbuf + b_offset, buf, b_n);
return b_n;
}
/**
Reported by FlawFinder.
drivers/media/platform/vsp1/vsp1_rpf.c
2 issues
Line: 347
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vsp1_rwpf *vsp1_rpf_create(struct vsp1_device *vsp1, unsigned int index)
{
struct vsp1_rwpf *rpf;
char name[6];
int ret;
rpf = devm_kzalloc(vsp1->dev, sizeof(*rpf), GFP_KERNEL);
if (rpf == NULL)
return ERR_PTR(-ENOMEM);
Reported by FlawFinder.
Line: 361
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
rpf->entity.type = VSP1_ENTITY_RPF;
rpf->entity.index = index;
sprintf(name, "rpf.%u", index);
ret = vsp1_entity_init(vsp1, &rpf->entity, name, 2, &rpf_ops,
MEDIA_ENT_F_PROC_VIDEO_PIXEL_FORMATTER);
if (ret < 0)
return ERR_PTR(ret);
Reported by FlawFinder.
drivers/media/i2c/saa7115.c
2 issues
Line: 1708
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct i2c_device_id *id,
char *name)
{
char chip_ver[CHIP_VER_SIZE];
char chip_id;
int i;
int autodetect;
autodetect = !id || id->driver_data == 1;
Reported by FlawFinder.
Line: 1815
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct v4l2_ctrl_handler *hdl;
struct saa7115_platform_data *pdata;
int ident;
char name[CHIP_VER_SIZE + 1];
#if defined(CONFIG_MEDIA_CONTROLLER)
int ret;
#endif
/* Check if the adapter supports the needed features */
Reported by FlawFinder.
drivers/media/tuners/fc0012.c
2 issues
Line: 125
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dtv_frontend_properties *p = &fe->dtv_property_cache;
u32 freq = p->frequency / 1000;
u32 delsys = p->delivery_system;
unsigned char reg[7], am, pm, multi, tmp;
unsigned long f_vco;
unsigned short xtal_freq_khz_2, xin, xdiv;
bool vco_select = false;
if (fe->callback) {
Reported by FlawFinder.
Line: 483
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
fe->tuner_priv = priv;
memcpy(&fe->ops.tuner_ops, &fc0012_tuner_ops,
sizeof(struct dvb_tuner_ops));
err:
if (fe->ops.i2c_gate_ctrl)
fe->ops.i2c_gate_ctrl(fe, 0);
Reported by FlawFinder.
drivers/media/tuners/qm1d1c0042.c
2 issues
Line: 350
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = -EINVAL;
goto failed;
}
memcpy(state->regs, reg_initval[reg_index], QM1D1C0042_NUM_REGS);
usleep_range(2000, 3000);
state->regs[0x0c] |= 0x40;
ret = reg_write(state, 0x0c, state->regs[0x0c]);
if (ret < 0)
Reported by FlawFinder.
Line: 420
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fe = cfg->fe;
fe->tuner_priv = state;
qm1d1c0042_set_config(fe, cfg);
memcpy(&fe->ops.tuner_ops, &qm1d1c0042_ops, sizeof(qm1d1c0042_ops));
i2c_set_clientdata(client, &state->cfg);
dev_info(&client->dev, "Sharp QM1D1C0042 attached.\n");
return 0;
}
Reported by FlawFinder.
drivers/media/i2c/s5c73m3/s5c73m3-core.c
2 issues
Line: 48
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define S5C73M3_MIPI_DATA_LANES 4
#define S5C73M3_CLK_NAME "cis_extclk"
static const char * const s5c73m3_supply_names[S5C73M3_MAX_SUPPLIES] = {
"vdd-int", /* Digital Core supply (1.2V), CAM_ISP_CORE_1.2V */
"vdda", /* Analog Core supply (1.2V), CAM_SENSOR_CORE_1.2V */
"vdd-reg", /* Regulator input supply (2.8V), CAM_SENSOR_A2.8V */
"vddio-host", /* Digital Host I/O power supply (1.8V...2.8V),
CAM_ISP_SENSOR_1.8V */
Reported by FlawFinder.
Line: 348
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = state->i2c_client;
const struct firmware *fw;
int ret;
char fw_name[20];
snprintf(fw_name, sizeof(fw_name), "SlimISP_%.2s.bin",
state->fw_file_version);
ret = request_firmware(&fw, fw_name, &client->dev);
if (ret < 0) {
Reported by FlawFinder.
drivers/media/platform/s5p-mfc/s5p_mfc_common.h
2 issues
Line: 230
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int port_num;
u32 version_bit;
struct s5p_mfc_buf_size *buf_size;
char *fw_name[MFC_FW_MAX_VERSIONS];
const char *clk_names[MFC_MAX_CLOCKS];
int num_clocks;
bool use_clock_gating;
};
Reported by FlawFinder.
Line: 231
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 version_bit;
struct s5p_mfc_buf_size *buf_size;
char *fw_name[MFC_FW_MAX_VERSIONS];
const char *clk_names[MFC_MAX_CLOCKS];
int num_clocks;
bool use_clock_gating;
};
/**
Reported by FlawFinder.
drivers/media/test-drivers/vivid/vivid-vbi-gen.c
2 issues
Line: 56
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned bit = 0;
int i;
memcpy(teletext + 3, data->data, sizeof(teletext) - 3);
/* prevents 32 bit overflow */
sampling_rate /= 10;
for (i = 0, bit = 0; bit < sizeof(teletext) * 8; bit++) {
unsigned n = ((bit + 1) * sampling_rate) / rate;
Reported by FlawFinder.
Line: 237
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset = 10;
}
packet += offset;
memcpy(packet, "Page: 100 Row: 10", 17);
packet[7] = '0' + frame / 10;
packet[8] = '0' + frame % 10;
packet[15] = '0' + line / 10;
packet[16] = '0' + line % 10;
for (i = 0; i < 42 - offset; i++)
Reported by FlawFinder.
drivers/media/tuners/tda18212.c
2 issues
Line: 197
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err;
}
memcpy(&dev->cfg, cfg, sizeof(struct tda18212_config));
dev->client = client;
dev->regmap = devm_regmap_init_i2c(client, ®map_config);
if (IS_ERR(dev->regmap)) {
ret = PTR_ERR(dev->regmap);
goto err;
Reported by FlawFinder.
Line: 234
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"NXP TDA18212HN/%s successfully identified\n", version);
fe->tuner_priv = dev;
memcpy(&fe->ops.tuner_ops, &tda18212_tuner_ops,
sizeof(struct dvb_tuner_ops));
i2c_set_clientdata(client, dev);
return 0;
err:
Reported by FlawFinder.