summaryrefslogtreecommitdiff
path: root/drivers/media/video
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2012-01-05 02:27:57 -0300
committerGreg Kroah-Hartman <gregkh@suse.de>2012-01-25 17:24:46 -0800
commit065449fd56d2f75cc943a6d501b292f6b0e40325 (patch)
tree944eb13b6e59e29869631a30e27460249524a572 /drivers/media/video
parentb1830247c9927d7d2ca17c9f84908fc130051792 (diff)
downloadlwn-065449fd56d2f75cc943a6d501b292f6b0e40325.tar.gz
lwn-065449fd56d2f75cc943a6d501b292f6b0e40325.zip
V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream. If ctrls->count is too high the multiplication could overflow and array_size would be lower than expected. Mauro and Hans Verkuil suggested that we cap it at 1024. That comes from the maximum number of controls with lots of room for expantion. $ grep V4L2_CID include/linux/videodev2.h | wc -l 211 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/media/video')
-rw-r--r--drivers/media/video/v4l2-ioctl.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
index 69e8c6ffcc49..bda252f04e8a 100644
--- a/drivers/media/video/v4l2-ioctl.c
+++ b/drivers/media/video/v4l2-ioctl.c
@@ -2289,6 +2289,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
struct v4l2_ext_controls *ctrls = parg;
if (ctrls->count != 0) {
+ if (ctrls->count > V4L2_CID_MAX_CTRLS) {
+ ret = -EINVAL;
+ break;
+ }
*user_ptr = (void __user *)ctrls->controls;
*kernel_ptr = (void **)&ctrls->controls;
*array_size = sizeof(struct v4l2_ext_control)