@@ -139,8 +139,8 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len)
* Check if we have enough space left in the buffer.
* In that case, we force loop exit after copy.
*/
- if (lencopy > buf->bytesused - buf->length) {
- lencopy = buf->bytesused - buf->length;
+ if (lencopy > buf->length - buf->bytesused) {
+ lencopy = buf->length - buf->bytesused;
remain = lencopy;
}
@@ -182,8 +182,8 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len)
* Check if we have enough space left in the buffer.
* In that case, we force loop exit after copy.
*/
- if (lencopy > buf->bytesused - buf->length) {
- lencopy = buf->bytesused - buf->length;
+ if (lencopy > buf->length - buf->bytesused) {
+ lencopy = buf->length - buf->bytesused;
remain = lencopy;
}
The subtract in this condition is reversed. The ->length is the length of the buffer. The ->bytesused is how many bytes we have copied thus far. When the condition is reversed that means the result of the subtraction is always negative but since it's unsigned then the result is a very high positive value. That means the overflow check is never true. Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- This patch is untested, I just spotted it in review. When this bug is fixed, the two checks for negative values of "lencopy" could be removed. I wrote a version of this patch which removed the checks, but in the end I decided to leave the checks. They're harmless. drivers/media/usb/stk1160/stk1160-video.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)