Message ID | 1373319192-26816-4-git-send-email-sean@mess.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c index e456126..e5be920 100644 --- a/drivers/media/rc/ir-lirc-codec.c +++ b/drivers/media/rc/ir-lirc-codec.c @@ -140,11 +140,20 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, goto out; } + for (i = 0; i < count; i++) { + if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) { + ret = -EINVAL; + goto out; + } + + duration += txbuf[i]; + } + ret = dev->tx_ir(dev, txbuf, count); if (ret < 0) goto out; - for (i = 0; i < ret; i++) + for (duration = i = 0; i < ret; i++) duration += txbuf[i]; ret *= sizeof(unsigned int);
The lirc interface allows 255 u32 spaces and pulses, which are usec. If the driver can handle this (e.g. winbond-cir) you can produce hours of meaningless IR data and there is no method of interrupting it. Signed-off-by: Sean Young <sean@mess.org> --- drivers/media/rc/ir-lirc-codec.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)