From b876feaf9b088d50b7519f8d6bbf15be977cd325 Mon Sep 17 00:00:00 2001
From: Douglas Schilling Landgraf <dougsland@redhat.com>
Date: Mon, 10 Aug 2009 22:17:25 -0300
Subject: stk-webcam: read buffer overflow

From: Roel Kluin <roel.kluin@gmail.com>

It tested the value of stk_sizes[i].m before checking whether i was in range.

Priority: normal

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Hans Verkuil <hverkuil@xs4all.nl>
Cc: Trent Piepho <xyzzy@speakeasy.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
---
 linux/drivers/media/video/stk-webcam.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'linux/drivers/media/video/stk-webcam.c')

diff --git a/linux/drivers/media/video/stk-webcam.c b/linux/drivers/media/video/stk-webcam.c
index 849867ab2..aaeee8319 100644
--- a/linux/drivers/media/video/stk-webcam.c
+++ b/linux/drivers/media/video/stk-webcam.c
@@ -1051,8 +1051,8 @@ static int stk_setup_format(struct stk_camera *dev)
 		depth = 1;
 	else
 		depth = 2;
-	while (stk_sizes[i].m != dev->vsettings.mode
-			&& i < ARRAY_SIZE(stk_sizes))
+	while (i < ARRAY_SIZE(stk_sizes) &&
+			stk_sizes[i].m != dev->vsettings.mode)
 		i++;
 	if (i == ARRAY_SIZE(stk_sizes)) {
 		STK_ERROR("Something is broken in %s\n", __func__);
-- 
cgit v1.2.3