[media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
authorDan Carpenter <dan.carpenter@oracle.com>
Thu, 5 Jan 2012 05:27:57 +0000 (02:27 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Sat, 7 Jan 2012 13:47:22 +0000 (11:47 -0200)
If ctrls->count is too high the multiplication could overflow and
array_size would be lower than expected.  Mauro and Hans Verkuil
suggested that we cap it at 1024.  That comes from the maximum
number of controls with lots of room for expantion.

$ grep V4L2_CID include/linux/videodev2.h | wc -l
211

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/media/video/v4l2-ioctl.c
include/linux/videodev2.h

index e1da8fc9dd2f192e4451318bdc66a93fbea3279d..639abeee33928cfc9890820c7b0de20bf05ab92a 100644 (file)
@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
                struct v4l2_ext_controls *ctrls = parg;
 
                if (ctrls->count != 0) {
+                       if (ctrls->count > V4L2_CID_MAX_CTRLS) {
+                               ret = -EINVAL;
+                               break;
+                       }
                        *user_ptr = (void __user *)ctrls->controls;
                        *kernel_ptr = (void *)&ctrls->controls;
                        *array_size = sizeof(struct v4l2_ext_control)
index 6bfaa767a8174d1c51e39a489ce23be3499843fb..b2e1331ca76bd0ca62a8c05515400c8949208f72 100644 (file)
@@ -1132,6 +1132,7 @@ struct v4l2_querymenu {
 #define V4L2_CTRL_FLAG_NEXT_CTRL       0x80000000
 
 /*  User-class control IDs defined by V4L2 */
+#define V4L2_CID_MAX_CTRLS             1024
 #define V4L2_CID_BASE                  (V4L2_CTRL_CLASS_USER | 0x900)
 #define V4L2_CID_USER_BASE             V4L2_CID_BASE
 /*  IDs reserved for driver specific controls */