From patchwork Tue Oct 2 06:47:58 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans Verkuil X-Patchwork-Id: 1535871 Return-Path: X-Original-To: patchwork-linux-media@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 605163FE1C for ; Tue, 2 Oct 2012 06:48:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754148Ab2JBGsL (ORCPT ); Tue, 2 Oct 2012 02:48:11 -0400 Received: from smtp-vbr14.xs4all.nl ([194.109.24.34]:1983 "EHLO smtp-vbr14.xs4all.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754099Ab2JBGsI (ORCPT ); Tue, 2 Oct 2012 02:48:08 -0400 Received: from alastor.dyndns.org (166.80-203-20.nextgentel.com [80.203.20.166] (may be forged)) (authenticated bits=0) by smtp-vbr14.xs4all.nl (8.13.8/8.13.8) with ESMTP id q926m16R014373 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 2 Oct 2012 08:48:03 +0200 (CEST) (envelope-from hverkuil@xs4all.nl) Received: from tschai.lan (tschai.lan [192.168.1.10]) (Authenticated sender: hans) by alastor.dyndns.org (Postfix) with ESMTPSA id BCB5B35C00B8; Tue, 2 Oct 2012 08:48:00 +0200 (CEST) From: Hans Verkuil To: linux-media@vger.kernel.org Cc: Dan Carpenter , Hans Verkuil Subject: [PATCH 1/2] v4l2-ioctl: add blocks check for VIDIOC_SUBDEV_G/S_EDID Date: Tue, 2 Oct 2012 08:47:58 +0200 Message-Id: <10d7f0ff3a151454cd7cf21e59333544e40fc577.1349160401.git.hans.verkuil@cisco.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1349160479-5314-1-git-send-email-hverkuil@xs4all.nl> References: <1349160479-5314-1-git-send-email-hverkuil@xs4all.nl> X-Virus-Scanned: by XS4ALL Virus Scanner Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org From: Hans Verkuil The maximum size of an EDID is 32768 bytes, which is 32768 / 128 = 256 blocks. Return -EINVAL if blocks > 256 to ensure that the memory allocation is sane. Signed-off-by: Hans Verkuil Reported-by: Dan Carpenter --- drivers/media/v4l2-core/v4l2-ioctl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 9d3e46c..a9af6f8 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -2211,6 +2211,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, struct v4l2_subdev_edid *edid = parg; if (edid->blocks) { + if (edid->blocks > 256) { + ret = -EINVAL; + break; + } *user_ptr = (void __user *)edid->edid; *kernel_ptr = (void *)&edid->edid; *array_size = edid->blocks * 128;