Google Git
Sign in
kernel / pub / scm / linux / kernel / git / bwh / linux-stable-queue / b27a1734a37afe075a62e42a0b44dab8fdce3c09 / . / releases / 3.16.61 / media-v4l2-compat-ioctl32-prevent-go-past-max-size.patch
blob: 38f3ae1a73ef2947e1c4c4949843c0860414d3ae [file] [log] [blame]
From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Date: Wed, 11 Apr 2018 11:47:32 -0400
Subject: media: v4l2-compat-ioctl32: prevent go past max size
commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream.
As warned by smatch:
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'
The access_ok() logic should check for too big arrays too.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -848,7 +848,7 @@ static int put_v4l2_ext_controls32(struc
get_user(kcontrols, &kp->controls))
return -EFAULT;
- if (!count)
+ if (!count || count > (U32_MAX/sizeof(*ucontrols)))
return 0;
if (get_user(p, &up->controls))
return -EFAULT;