[media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()

If ctrls->count is too high the multiplication could overflow and array_size would be lower than expected. Mauro and Hans Verkuil suggested that we cap it at 1024. That comes from the maximum number of controls with lots of room for expantion. $ grep V4L2_CID include/linux/videodev2.h | wc -l 211 Cc: stable <stable@vger.kernel.org> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
author: Dan Carpenter <dan.carpenter@oracle.com> 2012-01-05 05:27:57 (GMT)
committer: Mauro Carvalho Chehab <mchehab@redhat.com> 2012-01-07 13:47:22 (GMT)
commit: 6c06108be53ca5e94d8b0e93883d534dd9079646 (patch)
tree: 2b2902e6b1c0d91f4fedd804af47ff33dbae42e1 /drivers/media/video/v4l2-ioctl.c
parent: e82db75d06ac331ae39b07f57539df3c51d19b94 (diff)
download: linux-6c06108be53ca5e94d8b0e93883d534dd9079646.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
index e1da8fc..639abee 100644
--- a/drivers/media/video/v4l2-ioctl.c
+++ b/drivers/media/video/v4l2-ioctl.c
@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
 		struct v4l2_ext_controls *ctrls = parg;
 
 		if (ctrls->count != 0) {
+			if (ctrls->count > V4L2_CID_MAX_CTRLS) {
+				ret = -EINVAL;
+				break;
+			}
 			*user_ptr = (void __user *)ctrls->controls;
 			*kernel_ptr = (void *)&ctrls->controls;
 			*array_size = sizeof(struct v4l2_ext_control)
author	Dan Carpenter <dan.carpenter@oracle.com>	2012-01-05 05:27:57 (GMT)
committer	Mauro Carvalho Chehab <mchehab@redhat.com>	2012-01-07 13:47:22 (GMT)
commit	6c06108be53ca5e94d8b0e93883d534dd9079646 (patch)
tree	2b2902e6b1c0d91f4fedd804af47ff33dbae42e1 /drivers/media/video/v4l2-ioctl.c
parent	e82db75d06ac331ae39b07f57539df3c51d19b94 (diff)
download	linux-6c06108be53ca5e94d8b0e93883d534dd9079646.tar.xz