diff options
author | Xi Wang <xi.wang@gmail.com> | 2012-04-10 00:15:45 +0400 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2012-04-19 16:11:25 +0400 |
commit | 32898a145404acbebe3256709e012c2830a2043b (patch) | |
tree | fb62bbd35c0936e59daf533624cf7372c49d847a /drivers/media/video/zoran | |
parent | 3fc82fa001cac8f22e7493a02c795f2bb33cafac (diff) | |
download | linux-32898a145404acbebe3256709e012c2830a2043b.tar.xz |
[media] zoran: fix integer overflow in setup_window()
`clipcount' is from userspace and thus needs validation. Otherwise,
a large `clipcount' could overflow the vmalloc() size, leading to
out-of-bounds access.
| setup_window()
| zoran_s_fmt_vid_overlay()
| __video_do_ioctl()
| video_ioctl2()
Use 2048 as the maximum `clipcount'. Also change the corresponding
parameter type to `unsigned int'.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media/video/zoran')
-rw-r--r-- | drivers/media/video/zoran/zoran_driver.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/drivers/media/video/zoran/zoran_driver.c b/drivers/media/video/zoran/zoran_driver.c index 4c09ab781ec3..c57310931810 100644 --- a/drivers/media/video/zoran/zoran_driver.c +++ b/drivers/media/video/zoran/zoran_driver.c @@ -1131,8 +1131,14 @@ static int setup_fbuffer(struct zoran_fh *fh, } -static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height, - struct v4l2_clip __user *clips, int clipcount, void __user *bitmap) +static int setup_window(struct zoran_fh *fh, + int x, + int y, + int width, + int height, + struct v4l2_clip __user *clips, + unsigned int clipcount, + void __user *bitmap) { struct zoran *zr = fh->zr; struct v4l2_clip *vcp = NULL; @@ -1155,6 +1161,14 @@ static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height return -EINVAL; } + if (clipcount > 2048) { + dprintk(1, + KERN_ERR + "%s: %s - invalid clipcount\n", + ZR_DEVNAME(zr), __func__); + return -EINVAL; + } + /* * The video front end needs 4-byte alinged line sizes, we correct that * silently here if necessary @@ -1218,7 +1232,7 @@ static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height (width * height + 7) / 8)) { return -EFAULT; } - } else if (clipcount > 0) { + } else if (clipcount) { /* write our own bitmap from the clips */ vcp = vmalloc(sizeof(struct v4l2_clip) * (clipcount + 4)); if (vcp == NULL) { |