diff options
| author | Xi Wang <xi.wang@gmail.com> | 2012-04-09 16:15:45 -0400 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2012-04-19 08:11:25 -0400 |
| commit | 32898a145404acbebe3256709e012c2830a2043b (patch) | |
| tree | fb62bbd35c0936e59daf533624cf7372c49d847a | |
| parent | 3fc82fa001cac8f22e7493a02c795f2bb33cafac (diff) | |
[media] zoran: fix integer overflow in setup_window()
`clipcount' is from userspace and thus needs validation. Otherwise,
a large `clipcount' could overflow the vmalloc() size, leading to
out-of-bounds access.
| setup_window()
| zoran_s_fmt_vid_overlay()
| __video_do_ioctl()
| video_ioctl2()
Use 2048 as the maximum `clipcount'. Also change the corresponding
parameter type to `unsigned int'.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
| -rw-r--r-- | drivers/media/video/zoran/zoran_driver.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/drivers/media/video/zoran/zoran_driver.c b/drivers/media/video/zoran/zoran_driver.c index 4c09ab781ec..c5731093181 100644 --- a/drivers/media/video/zoran/zoran_driver.c +++ b/drivers/media/video/zoran/zoran_driver.c | |||
| @@ -1131,8 +1131,14 @@ static int setup_fbuffer(struct zoran_fh *fh, | |||
| 1131 | } | 1131 | } |
| 1132 | 1132 | ||
| 1133 | 1133 | ||
| 1134 | static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height, | 1134 | static int setup_window(struct zoran_fh *fh, |
| 1135 | struct v4l2_clip __user *clips, int clipcount, void __user *bitmap) | 1135 | int x, |
| 1136 | int y, | ||
| 1137 | int width, | ||
| 1138 | int height, | ||
| 1139 | struct v4l2_clip __user *clips, | ||
| 1140 | unsigned int clipcount, | ||
| 1141 | void __user *bitmap) | ||
| 1136 | { | 1142 | { |
| 1137 | struct zoran *zr = fh->zr; | 1143 | struct zoran *zr = fh->zr; |
| 1138 | struct v4l2_clip *vcp = NULL; | 1144 | struct v4l2_clip *vcp = NULL; |
| @@ -1155,6 +1161,14 @@ static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height | |||
| 1155 | return -EINVAL; | 1161 | return -EINVAL; |
| 1156 | } | 1162 | } |
| 1157 | 1163 | ||
| 1164 | if (clipcount > 2048) { | ||
| 1165 | dprintk(1, | ||
| 1166 | KERN_ERR | ||
| 1167 | "%s: %s - invalid clipcount\n", | ||
| 1168 | ZR_DEVNAME(zr), __func__); | ||
| 1169 | return -EINVAL; | ||
| 1170 | } | ||
| 1171 | |||
| 1158 | /* | 1172 | /* |
| 1159 | * The video front end needs 4-byte alinged line sizes, we correct that | 1173 | * The video front end needs 4-byte alinged line sizes, we correct that |
| 1160 | * silently here if necessary | 1174 | * silently here if necessary |
| @@ -1218,7 +1232,7 @@ static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height | |||
| 1218 | (width * height + 7) / 8)) { | 1232 | (width * height + 7) / 8)) { |
| 1219 | return -EFAULT; | 1233 | return -EFAULT; |
| 1220 | } | 1234 | } |
| 1221 | } else if (clipcount > 0) { | 1235 | } else if (clipcount) { |
| 1222 | /* write our own bitmap from the clips */ | 1236 | /* write our own bitmap from the clips */ |
| 1223 | vcp = vmalloc(sizeof(struct v4l2_clip) * (clipcount + 4)); | 1237 | vcp = vmalloc(sizeof(struct v4l2_clip) * (clipcount + 4)); |
| 1224 | if (vcp == NULL) { | 1238 | if (vcp == NULL) { |