summaryrefslogtreecommitdiff
path: root/drivers/media/i2c/adv7604.c
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2017-08-04 11:07:51 +0300
committerMauro Carvalho Chehab <mchehab@s-opensource.com>2017-08-09 17:35:15 +0300
commit7cc7a83394be1db510609d8d2f68c53b63a3ecff (patch)
tree2a66584f62ecd57d613031e6b188b8eb39c7f226 /drivers/media/i2c/adv7604.c
parentb050d46e4a64ab0b9df9a607a6c4dc7b28e9125b (diff)
downloadlinux-7cc7a83394be1db510609d8d2f68c53b63a3ecff.tar.xz
media: adv7604: Prevent out of bounds access
These can only be accessed with CAP_SYS_ADMIN so it's not a critical security issue. The problem is that "page" is controlled by the user in the ioctl(). The test to see if the bit is set in state->info->page_mask is not sufficient because "page" can be very high and shift wrap around to a bit which is set. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Diffstat (limited to 'drivers/media/i2c/adv7604.c')
-rw-r--r--drivers/media/i2c/adv7604.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
index 324d39bd68d0..f289b8aca1da 100644
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -618,7 +618,7 @@ static int adv76xx_read_reg(struct v4l2_subdev *sd, unsigned int reg)
unsigned int val;
int err;
- if (!(BIT(page) & state->info->page_mask))
+ if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask))
return -EINVAL;
reg &= 0xff;
@@ -633,7 +633,7 @@ static int adv76xx_write_reg(struct v4l2_subdev *sd, unsigned int reg, u8 val)
struct adv76xx_state *state = to_state(sd);
unsigned int page = reg >> 8;
- if (!(BIT(page) & state->info->page_mask))
+ if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask))
return -EINVAL;
reg &= 0xff;