[media] v4l2-ioctl: add blocks check for VIDIOC_SUBDEV_G/S_EDID

The maximum size of an EDID is 32768 bytes, which is 32768 / 128 = 256 blocks.
Return -EINVAL if blocks > 256 to ensure that the memory allocation is sane.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
index 16205d9bddfcf3b04ae636e9db67645e90e6c520..11874c170cbe41be9234b02811df098ca4a0c22a 100644 (file)
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -2212,6 +2212,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
                struct v4l2_subdev_edid *edid = parg;
 
                if (edid->blocks) {
+                       if (edid->blocks > 256) {
+                               ret = -EINVAL;
+                               break;
+                       }
                        *user_ptr = (void __user *)edid->edid;
                        *kernel_ptr = (void *)&edid->edid;
                        *array_size = edid->blocks * 128;