The following issues were found
drivers/media/radio/si470x/radio-si470x-i2c.c
2 issues
Line: 245
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char blocknum;
unsigned short bler; /* rds block errors */
unsigned short rds;
unsigned char tmpbuf[3];
int retval = 0;
/* check Seek/Tune Complete */
retval = si470x_get_register(radio, STATUSRSSI);
if (retval < 0)
Reported by FlawFinder.
Line: 306
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tmpbuf[2] |= 0x40; /* corrected error(s) */
/* copy RDS block to internal buffer */
memcpy(&radio->buffer[radio->wr_index], &tmpbuf, 3);
radio->wr_index += 3;
/* wrap write pointer */
if (radio->wr_index >= radio->buf_size)
radio->wr_index = 0;
Reported by FlawFinder.
drivers/media/common/saa7146/saa7146_video.c
2 issues
Line: 446
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strscpy((char *)cap->driver, "saa7146 v4l2", sizeof(cap->driver));
strscpy((char *)cap->card, dev->ext->name, sizeof(cap->card));
sprintf((char *)cap->bus_info, "PCI:%s", pci_name(dev->pci));
cap->capabilities = V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_VIDEO_OVERLAY |
V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
V4L2_CAP_DEVICE_CAPS;
cap->capabilities |= dev->ext_vv_data->capabilities;
return 0;
Reported by FlawFinder.
Line: 773
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vv->ov.nclips = f->fmt.win.clipcount;
if (vv->ov.nclips > 16)
vv->ov.nclips = 16;
memcpy(vv->ov.clips, f->fmt.win.clips,
sizeof(struct v4l2_clip) * vv->ov.nclips);
/* vv->ov.fh is used to indicate that we have valid overlay information, too */
vv->ov.fh = fh;
Reported by FlawFinder.
drivers/media/usb/dvb-usb-v2/ce6230.c
2 issues
Line: 52
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (requesttype == (USB_TYPE_VENDOR | USB_DIR_OUT)) {
/* write */
memcpy(buf, req->data, req->data_len);
pipe = usb_sndctrlpipe(d->udev, 0);
} else {
/* read */
pipe = usb_rcvctrlpipe(d->udev, 0);
}
Reported by FlawFinder.
Line: 75
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read request, copy returned data to return buf */
if (!ret && requesttype == (USB_TYPE_VENDOR | USB_DIR_IN))
memcpy(req->data, buf, req->data_len);
kfree(buf);
error:
return ret;
}
Reported by FlawFinder.
drivers/media/platform/davinci/vpss.c
2 issues
Line: 272
Column: 8
CWE codes:
120
20
{
unsigned long flags;
u32 utemp, mask = 0x1, shift = 0, offset = DM365_ISP5_PCCR;
u32 (*read)(u32 offset) = isp5_read;
void(*write)(u32 val, u32 offset) = isp5_write;
switch (clock_sel) {
case VPSS_BL_CLOCK:
break;
Reported by FlawFinder.
Line: 341
Column: 10
CWE codes:
120
20
}
spin_lock_irqsave(&oper_cfg.vpss_lock, flags);
utemp = read(offset);
if (!en) {
mask = ~mask;
utemp &= (mask << shift);
} else
utemp |= (mask << shift);
Reported by FlawFinder.
drivers/media/platform/mtk-vcodec/vdec/vdec_h264_if.c
2 issues
Line: 107
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @crop : crop information (AP-R, VPU-W)
*/
struct vdec_h264_vsi {
unsigned char hdr_buf[HDR_PARSING_BUF_SZ];
uint64_t pred_buf_dma;
uint64_t mv_buf_dma[H264_MAX_FB_NUM];
struct h264_ring_fb_list list_free;
struct h264_ring_fb_list list_disp;
struct vdec_h264_dec_info dec;
Reported by FlawFinder.
Line: 378
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = -EILSEQ;
goto err_free_fb_out;
}
memcpy(inst->vsi->hdr_buf, buf + nal_start_idx, buf_sz);
}
inst->vsi->dec.bs_dma = (uint64_t)bs->dma_addr;
inst->vsi->dec.y_fb_dma = y_fb_dma;
inst->vsi->dec.c_fb_dma = c_fb_dma;
Reported by FlawFinder.
drivers/net/arcnet/rfc1201.c
2 issues
Line: 195
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* up to sizeof(pkt->soft) has already
* been copied from the card
*/
memcpy(pkt, pkthdr, sizeof(struct archdr));
if (length > sizeof(pkt->soft))
lp->hw.copy_from_card(dev, bufnum,
ofs + sizeof(pkt->soft),
pkt->soft.raw + sizeof(pkt->soft),
length - sizeof(pkt->soft));
Reported by FlawFinder.
Line: 303
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pkt = (struct archdr *)skb->data;
soft = &pkt->soft.rfc1201;
memcpy(pkt, pkthdr, ARC_HDR_SIZE + RFC1201_HDR_SIZE);
skb_put(skb, ARC_HDR_SIZE + RFC1201_HDR_SIZE);
soft->split_flag = 0; /* end result won't be split */
} else { /* not first packet */
int packetnum = ((unsigned)soft->split_flag >> 1) + 1;
Reported by FlawFinder.
drivers/media/usb/dvb-usb-v2/ec168.c
2 issues
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (requesttype == (USB_TYPE_VENDOR | USB_DIR_OUT)) {
/* write */
memcpy(buf, req->data, req->size);
pipe = usb_sndctrlpipe(d->udev, 0);
} else {
/* read */
pipe = usb_rcvctrlpipe(d->udev, 0);
}
Reported by FlawFinder.
Line: 86
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read request, copy returned data to return buf */
if (!ret && requesttype == (USB_TYPE_VENDOR | USB_DIR_IN))
memcpy(req->data, buf, req->size);
kfree(buf);
return ret;
err_dealloc:
Reported by FlawFinder.
drivers/media/usb/dvb-usb-v2/gl861.c
2 issues
Line: 43
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (request) {
case CMD_WRITE:
memcpy(ctx->buf, data, size);
fallthrough;
case CMD_WRITE_SHORT:
pipe = usb_sndctrlpipe(d->udev, 0);
requesttype = USB_TYPE_VENDOR | USB_DIR_OUT;
break;
Reported by FlawFinder.
Line: 67
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_mutex_unlock;
if (request == CMD_READ)
memcpy(data, ctx->buf, size);
usleep_range(1000, 2000); /* Avoid I2C errors */
mutex_unlock(&d->usb_mutex);
Reported by FlawFinder.
drivers/media/usb/tm6000/tm6000.h
2 issues
Line: 163
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tm6000_core {
/* generic device properties */
char name[30]; /* name (including minor) of the device */
int model; /* index in the device_data struct */
int devno; /* marks the number of this device */
enum tm6000_devtype dev_type; /* type of device */
unsigned char eedata[256]; /* Eeprom data */
unsigned eedata_size; /* Size of the eeprom info */
Reported by FlawFinder.
Line: 167
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int model; /* index in the device_data struct */
int devno; /* marks the number of this device */
enum tm6000_devtype dev_type; /* type of device */
unsigned char eedata[256]; /* Eeprom data */
unsigned eedata_size; /* Size of the eeprom info */
v4l2_std_id norm; /* Current norm */
int width, height; /* Selected resolution */
Reported by FlawFinder.
drivers/media/usb/dvb-usb-v2/mxl111sf-demod.c
2 issues
Line: 559
FE_CAN_TRANSMISSION_MODE_AUTO | FE_CAN_RECOVER
},
.release = mxl111sf_demod_release,
#if 0
.init = mxl111sf_init,
.i2c_gate_ctrl = mxl111sf_i2c_gate_ctrl,
#endif
.set_frontend = mxl111sf_demod_set_frontend,
.get_frontend = mxl111sf_demod_get_frontend,
Reported by Cppcheck.
Line: 587
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
state->mxl_state = mxl_state;
state->cfg = cfg;
memcpy(&state->fe.ops, &mxl111sf_demod_ops,
sizeof(struct dvb_frontend_ops));
state->fe.demodulator_priv = state;
return &state->fe;
}
Reported by FlawFinder.