media: technisat-usb2: break out of loop at end of buffer

jira VULN-7734
cve CVE-2019-15505
commit-author Sean Young <[email protected]>
commit 0c4df39
upstream-diff Mainline fix 0c4df39 is based on
    changes introduced by 5d0f2df which
    `ciqcbr7_9' lacks. Insteasd of operating on the `d->priv->buf' buffer as
    in the original the logic is applied to the local array `buf[62]'.

Ensure we do not access the buffer beyond the end if no 0xff byte
is encountered.

	Reported-by: [email protected]
	Signed-off-by: Sean Young <[email protected]>
	Reviewed-by: Kees Cook <[email protected]>
	Signed-off-by: Mauro Carvalho Chehab <[email protected]>
(cherry picked from commit 0c4df39)
	Signed-off-by: Marcin Wcisło <[email protected]>

Author: pvts-mat

drivers/media/usb/dvb-usb/technisat-usb2.c

@@ -591,9 +591,10 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
 
 static int technisat_usb2_get_ir(struct dvb_usb_device *d)
 {
-	u8 buf[62], *b;
+	u8 buf[62];
 	int ret;
 	struct ir_raw_event ev;
+	int i;
 
 	buf[0] = GET_IR_DATA_VENDOR_REQUEST;
 	buf[1] = 0x08;
@@ -629,26 +630,25 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
 		return 0; /* no key pressed */
 
 	/* decoding */
-	b = buf+1;
 
 #if 0
 	deb_rc("RC: %d ", ret);
-	debug_dump(b, ret, deb_rc);
+	debug_dump(buf + 1, ret, deb_rc);
 #endif
 
 	ev.pulse = 0;
-	while (1) {
-		ev.pulse = !ev.pulse;
-		ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
-		ir_raw_event_store(d->rc_dev, &ev);
-
-		b++;
-		if (*b == 0xff) {
+	for (i = 1; i < ARRAY_SIZE(buf); i++) {
+		if (buf[i] == 0xff) {
 			ev.pulse = 0;
 			ev.duration = 888888*2;
 			ir_raw_event_store(d->rc_dev, &ev);
 			break;
 		}
+
+		ev.pulse = !ev.pulse;
+		ev.duration = (buf[i] * FIRMWARE_CLOCK_DIVISOR *
+			       FIRMWARE_CLOCK_TICK) / 1000;
+		ir_raw_event_store(d->rc_dev, &ev);
 	}
 
 	ir_raw_event_handle(d->rc_dev);