[PATCH] media: pluto2: fix potential buffer overflow in pluto_dma_end()

[PATCH] media: pluto2: fix potential buffer overflow in pluto_dma_end()

[Dmitriy Chumachenko]

The while loop in pluto_dma_end() scans the DMA buffer for MPEG-TS sync 
bytes (0x47) at 188-byte intervals. However, it does not check the buffer 
boundary. If the buffer contains 0x47 at every 188-byte offset, the loop 
index will exceed the buffer size, causing an out-of-bounds read.

Add a check to ensure the index stays within TS_DMA_BYTES.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: c7cadb3a02b5 ("[PATCH] dvb: add Pluto2 driver")
Signed-off-by: Dmitriy Chumachenko <Dmitry.Chumachenko@cyberprotect.ru>
---
 drivers/media/pci/pluto2/pluto2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/pci/pluto2/pluto2.c b/drivers/media/pci/pluto2/pluto2.c
index 6ac9b9bd7435..fd7f8d8b85a8 100644
--- a/drivers/media/pci/pluto2/pluto2.c
+++ b/drivers/media/pci/pluto2/pluto2.c
@@ -291,7 +291,7 @@ static void pluto_dma_end(struct pluto *pluto, unsigned int nbpackets)
 	 */
 	if ((nbpackets == 0) || (nbpackets > TS_DMA_PACKETS)) {
 		unsigned int i = 0;
-		while (pluto->dma_buf[i] == 0x47)
+		while (i < TS_DMA_BYTES && pluto->dma_buf[i] == 0x47)
 			i += 188;
 		nbpackets = i / 188;
 		if (i == 0) {
-- 
2.49.0

Claude review: media: pluto2: fix potential buffer overflow in pluto_dma_end()

[Claude Code Review Bot]

Overall Series Review

Subject: media: pluto2: fix potential buffer overflow in pluto_dma_end()
Author: Dmitriy Chumachenko <Dmitry.Chumachenko@cyberprotect.ru>
Patches: 1
Reviewed: 2026-03-25T07:58:45.124713

---

This is a single-patch fix for a potential out-of-bounds read in the Pluto2 DVB driver. The fix is correct, minimal, and addresses a real bug. The patch is good to merge.

---
Generated by Claude Code Patch Reviewer

Claude review: media: pluto2: fix potential buffer overflow in pluto_dma_end()

[Claude Code Review Bot]

Patch Review

**Assessment: Good fix, minor nit**

The bug is real. `TS_DMA_BYTES` is `188 * 8 = 1504`, and `dma_buf` is declared as `u8 dma_buf[TS_DMA_BYTES]` (line 111). The original loop:

```c
while (pluto->dma_buf[i] == 0x47)
    i += 188;
```

increments `i` by 188 each iteration. If every 188th byte happens to be `0x47`, `i` would reach `188 * 8 = 1504 = TS_DMA_BYTES`, and the next iteration would read `pluto->dma_buf[1504]` — one byte past the end of the buffer. The fix:

```c
while (i < TS_DMA_BYTES && pluto->dma_buf[i] == 0x47)
    i += 188;
```

correctly bounds-checks before accessing the buffer. Short-circuit evaluation ensures `dma_buf[i]` is never accessed when `i >= TS_DMA_BYTES`.

**Minor observation:** In practice, the maximum valid `i` after the loop would be `TS_DMA_BYTES` (1504), and `nbpackets = 1504 / 188 = 8 = TS_DMA_PACKETS`, which is the correct maximum. So the fix is semantically clean — it doesn't change behavior for valid data, only prevents the OOB read.

**Verdict:** Straightforward and correct one-line fix. The commit message, Fixes tag, and Signed-off-by are all proper.

Reviewed-by assessment: **Accept**.

---
Generated by Claude Code Patch Reviewer