From 1b8b10cc7e6bd9bf017c58e32b1e7f632e23850d Mon Sep 17 00:00:00 2001 From: Hans Verkuil Date: Tue, 2 Oct 2012 02:47:58 -0300 Subject: [PATCH] [media] v4l2-ioctl: add blocks check for VIDIOC_SUBDEV_G/S_EDID The maximum size of an EDID is 32768 bytes, which is 32768 / 128 = 256 blocks. Return -EINVAL if blocks > 256 to ensure that the memory allocation is sane. Signed-off-by: Hans Verkuil Reported-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab --- drivers/media/v4l2-core/v4l2-ioctl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 16205d9bddfc..11874c170cbe 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -2212,6 +2212,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, struct v4l2_subdev_edid *edid = parg; if (edid->blocks) { + if (edid->blocks > 256) { + ret = -EINVAL; + break; + } *user_ptr = (void __user *)edid->edid; *kernel_ptr = (void *)&edid->edid; *array_size = edid->blocks * 128; -- 2.20.1