From 9369cc96af2d5e093ed7f0ac9671f4b30d30af86 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 18 Oct 2011 02:12:09 -0300
Subject: [PATCH] [media] av7110: wrong limiter in av7110_start_feed()

Smatch complains that the wrong limiter is used here:
drivers/media/dvb/ttpci/av7110.c +906 dvb_feed_start_pid(12)
	error: buffer overflow 'npids' 5 <= 19

Here is the problem code:
   905          i = dvbdmxfeed->pes_type;
   906          npids[i] = (pid[i]&0x8000) ? 0 : pid[i];

"npids" is a 5 element array declared on the stack.  If
dvbdmxfeed->pes_type is more than 4 we probably put a (u16)0 past
the end of the array.

If dvbdmxfeed->pes_type is over 4 the rest of the function doesn't
do anything.  dvbdmxfeed->pes_type is capped at less than
DMX_TS_PES_OTHER (20) in the caller function, but I changed it to
less than or equal to DMX_TS_PES_PCR (4).

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Oliver Endriss <o.endriss@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
Reading git-format-patch failed