!9440 fix CVE-2024-38621 (e32ad9da) · Commits · EulixOS / Software / Kernel

drivers/media/usb/stk1160/stk1160-video.c

+15 −5

Original line number	Diff line number	Diff line
		@@ -99,7 +99,7 @@ void stk1160_buffer_done(struct stk1160 *dev)
		static inline
		void stk1160_copy_video(struct stk1160 dev, u8 src, int len)
		{
		int linesdone, lineoff, lencopy;
		int linesdone, lineoff, lencopy, offset;
		int bytesperline = dev->width * 2;
		struct stk1160_buffer *buf = dev->isoc_ctl.buf;
		u8 *dst = buf->mem;
		@@ -140,8 +140,13 @@ void stk1160_copy_video(struct stk1160 dev, u8 src, int len)
		* Check if we have enough space left in the buffer.
		* In that case, we force loop exit after copy.
		*/
		if (lencopy > buf->bytesused - buf->length) {
		lencopy = buf->bytesused - buf->length;
		offset = dst - (u8 *)buf->mem;
		if (offset > buf->length) {
		dev_warn_ratelimited(dev->dev, "out of bounds offset\n");
		return;
		}
		if (lencopy > buf->length - offset) {
		lencopy = buf->length - offset;
		remain = lencopy;
		}

		@@ -183,8 +188,13 @@ void stk1160_copy_video(struct stk1160 dev, u8 src, int len)
		* Check if we have enough space left in the buffer.
		* In that case, we force loop exit after copy.
		*/
		if (lencopy > buf->bytesused - buf->length) {
		lencopy = buf->bytesused - buf->length;
		offset = dst - (u8 *)buf->mem;
		if (offset > buf->length) {
		dev_warn_ratelimited(dev->dev, "offset out of bounds\n");
		return;
		}
		if (lencopy > buf->length - offset) {
		lencopy = buf->length - offset;
		remain = lencopy;
		}