Commit 5f0049bd authored by Xi Wang's avatar Xi Wang Committed by Mauro Carvalho Chehab

[media] v4l2-ctrls: fix integer overflow in v4l2_g_ext_ctrls()

A large cs->count from userspace may overflow the allocation size,
leading to memory corruption.  v4l2_g_ext_ctrls() can be reached
from subdev_do_ioctl() or __video_do_ioctl().

Use kmalloc_array() to avoid the overflow.
Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
parent 30059d93
...@@ -2036,7 +2036,8 @@ int v4l2_g_ext_ctrls(struct v4l2_ctrl_handler *hdl, struct v4l2_ext_controls *cs ...@@ -2036,7 +2036,8 @@ int v4l2_g_ext_ctrls(struct v4l2_ctrl_handler *hdl, struct v4l2_ext_controls *cs
return class_check(hdl, cs->ctrl_class); return class_check(hdl, cs->ctrl_class);
if (cs->count > ARRAY_SIZE(helper)) { if (cs->count > ARRAY_SIZE(helper)) {
helpers = kmalloc(sizeof(helper[0]) * cs->count, GFP_KERNEL); helpers = kmalloc_array(cs->count, sizeof(helper[0]),
GFP_KERNEL);
if (helpers == NULL) if (helpers == NULL)
return -ENOMEM; return -ENOMEM;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment