From d142914b8f97bc73178590246fa810be0d529121 Mon Sep 17 00:00:00 2001
From: jogo <jogo@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Tue, 23 Apr 2013 09:17:07 +0000
Subject: [PATCH] [packages] wview: fix segmentation fault in WMR USB driver

Do not overflow the input buffer. This happens on slow hosts that take
long time to recompute the data on start.

Signed-off-by: Paul Fertser <fercerpav@gmail.com>

git-svn-id: svn://svn.openwrt.org/openwrt/packages@36390 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 utils/wview/Makefile                           |  2 +-
 ...0-WMRUSB-fix-segfault-buffer-overflow.patch | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 utils/wview/patches/050-WMRUSB-fix-segfault-buffer-overflow.patch

diff --git a/utils/wview/Makefile b/utils/wview/Makefile
index 32e9de659..f231fa7ed 100644
--- a/utils/wview/Makefile
+++ b/utils/wview/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wview
 PKG_VERSION:=5.19.0-jgoerzen
-PKG_RELEASE=$(PKG_SOURCE_VERSION)-r1
+PKG_RELEASE=$(PKG_SOURCE_VERSION)-r2
 PKG_SOURCE_URL:=git://github.com/jgoerzen/wview.git
 PKG_SOURCE_VERSION:=7bfac6c11e756290c38e7b5862a4c51b6bc6c51e
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
diff --git a/utils/wview/patches/050-WMRUSB-fix-segfault-buffer-overflow.patch b/utils/wview/patches/050-WMRUSB-fix-segfault-buffer-overflow.patch
new file mode 100644
index 000000000..be518c608
--- /dev/null
+++ b/utils/wview/patches/050-WMRUSB-fix-segfault-buffer-overflow.patch
@@ -0,0 +1,18 @@
+Index: wview-5.19.0-jgoerzen/stations/WMRUSB/wmrusbprotocol.c
+===================================================================
+--- wview-5.19.0-jgoerzen.orig/stations/WMRUSB/wmrusbprotocol.c	2013-03-10 22:24:28.000000000 +0400
++++ wview-5.19.0-jgoerzen/stations/WMRUSB/wmrusbprotocol.c	2013-03-10 22:25:01.000000000 +0400
+@@ -897,8 +897,11 @@
+ // Read raw USB data and buffer it for later processing:
+ void wmrReadData (WVIEWD_WORK *work, WMRUSB_MSG_DATA* msg)
+ {
+-    memcpy(&wmrWork.readData[wmrWork.readIndex], msg->data, msg->length);
+-    wmrWork.readIndex += msg->length;
++    if (wmrWork.readIndex + msg->length <= WMR_BUFFER_LENGTH)
++    {
++        memcpy(&wmrWork.readData[wmrWork.readIndex], msg->data, msg->length);
++        wmrWork.readIndex += msg->length;
++    }
+ 
+     return;
+ }