From a608a17bf36862ed3e4912501af2fb094d156e4f Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <mchehab@infradead.org>
Date: Sun, 14 Jan 2007 16:29:42 -0200
Subject: Cpia.c: buffer overflow

From: Alexey Dobriyan <adobriyan@gmail.com>

If assigned minor is 10 or greater, terminator will be put beyound the end.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
---
 linux/drivers/media/video/cpia.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux/drivers/media/video/cpia.c b/linux/drivers/media/video/cpia.c
index 9214c15c4..2494bb844 100644
--- a/linux/drivers/media/video/cpia.c
+++ b/linux/drivers/media/video/cpia.c
@@ -1353,13 +1353,13 @@ out:
 
 static void create_proc_cpia_cam(struct cam_data *cam)
 {
-	char name[7];
+	char name[5 + 1 + 10 + 1];
 	struct proc_dir_entry *ent;
 
 	if (!cpia_proc_root || !cam)
 		return;
 
-	sprintf(name, "video%d", cam->vdev.minor);
+	snprintf(name, sizeof(name), "video%d", cam->vdev.minor);
 
 	ent = create_proc_entry(name, S_IFREG|S_IRUGO|S_IWUSR, cpia_proc_root);
 	if (!ent)
@@ -1379,12 +1379,12 @@ static void create_proc_cpia_cam(struct cam_data *cam)
 
 static void destroy_proc_cpia_cam(struct cam_data *cam)
 {
-	char name[7];
+	char name[5 + 1 + 10 + 1];
 
 	if (!cam || !cam->proc_entry)
 		return;
 
-	sprintf(name, "video%d", cam->vdev.minor);
+	snprintf(name, sizeof(name), "video%d", cam->vdev.minor);
 	remove_proc_entry(name, cpia_proc_root);
 	cam->proc_entry = NULL;
 }
-- 
cgit v1.2.3