From b90ed914e513a6ad6184f7a46a0df0888dcfc177 Mon Sep 17 00:00:00 2001 From: Johannes Stezenbach Date: Tue, 8 Nov 2005 21:35:25 -0800 Subject: [PATCH] dvb: Fix integer overflow bug Fix integer overflow bug in read_signal_strength() reported by Anthony Leclerc. Signed-off-by: Johannes Stezenbach Signed-off-by: Michael Krufky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/media/dvb/frontends/or51132.c | 7 ++++++- drivers/media/dvb/frontends/or51211.c | 8 ++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) (limited to 'drivers/media/dvb/frontends') diff --git a/drivers/media/dvb/frontends/or51132.c b/drivers/media/dvb/frontends/or51132.c index fc74c40d647..78bded861d0 100644 --- a/drivers/media/dvb/frontends/or51132.c +++ b/drivers/media/dvb/frontends/or51132.c @@ -468,6 +468,7 @@ static int or51132_read_signal_strength(struct dvb_frontend* fe, u16* strength) unsigned char snd_buf[2]; u8 rcvr_stat; u16 snr_equ; + u32 signal_strength; int usK; snd_buf[0]=0x04; @@ -503,7 +504,11 @@ static int or51132_read_signal_strength(struct dvb_frontend* fe, u16* strength) usK = (rcvr_stat & 0x10) ? 3 : 0; /* The value reported back from the frontend will be FFFF=100% 0000=0% */ - *strength = (((8952 - i20Log10(snr_equ) - usK*100)/3+5)*65535)/1000; + signal_strength = (((8952 - i20Log10(snr_equ) - usK*100)/3+5)*65535)/1000; + if (signal_strength > 0xffff) + *strength = 0xffff; + else + *strength = signal_strength; dprintk("read_signal_strength %i\n",*strength); return 0; diff --git a/drivers/media/dvb/frontends/or51211.c b/drivers/media/dvb/frontends/or51211.c index 8a9db23dd1b..531f76246e5 100644 --- a/drivers/media/dvb/frontends/or51211.c +++ b/drivers/media/dvb/frontends/or51211.c @@ -339,6 +339,7 @@ static int or51211_read_signal_strength(struct dvb_frontend* fe, u16* strength) u8 rec_buf[2]; u8 snd_buf[4]; u8 snr_equ; + u32 signal_strength; /* SNR after Equalizer */ snd_buf[0] = 0x04; @@ -358,8 +359,11 @@ static int or51211_read_signal_strength(struct dvb_frontend* fe, u16* strength) snr_equ = rec_buf[0] & 0xff; /* The value reported back from the frontend will be FFFF=100% 0000=0% */ - *strength = (((5334 - i20Log10(snr_equ))/3+5)*65535)/1000; - + signal_strength = (((5334 - i20Log10(snr_equ))/3+5)*65535)/1000; + if (signal_strength > 0xffff) + *strength = 0xffff; + else + *strength = signal_strength; dprintk("read_signal_strength %i\n",*strength); return 0; -- cgit v1.2.3-70-g09d2