[linux-dvb] [PATCH] tuner-xc2028.c firmware loading panic

Devin Heitmueller devin.heitmueller at gmail.com
Mon Dec 10 04:16:02 CET 2007

I was doing some work trying to figure out the format for the firmware
fed into tuner-xc2028.c, and caused a panic when I gave it some
malformed input.

The size field can be some obscenely large number which causes an
integer wraparound when comparing it to the end pointer (p + size <
endp test passes when size is large enough to wrap around).

The attached patch against the trunk just tweaks the math for the
calculation to avoid the wraparound bug.

Could somebody please provide any information regarding the format of
the expected firmware file?  I have been playing around with
v4l_experimental/xc3028/convert.c as well as
v4l2-apps/util/xc3028-firmware/firmware-tool.c and it's not clear what
is the expected input.  Better yet, if somebody could point me to a
sample firmware file that works, I'm sure I can work backwards from
there (in my case I'm trying to get the HVR-950 working).

On a sidenote, is v4l/xc3028.c actually used for anything?  I spent
some time digging around in the firmware loading code there before I
realized that the actual code being used was in tuner-xc2028.c.  If it
is dead code, can it be dropped from the repository?


Devin J. Heitmueller
AIM: devinheitmueller
