V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
authorDan Carpenter <dan.carpenter@oracle.com>
Thu, 5 Jan 2012 05:27:57 +0000 (02:27 -0300)
committerGreg Kroah-Hartman <gregkh@suse.de>
Thu, 26 Jan 2012 01:24:46 +0000 (17:24 -0800)
commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.

If ctrls->count is too high the multiplication could overflow and
array_size would be lower than expected.  Mauro and Hans Verkuil
suggested that we cap it at 1024.  That comes from the maximum
number of controls with lots of room for expantion.

$ grep V4L2_CID include/linux/videodev2.h | wc -l
211

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/media/video/v4l2-ioctl.c
include/linux/videodev2.h

index 69e8c6ffcc49b8b64700c8049acaf0b172d25350..bda252f04e8a26f87f4f53d2f603c7faefb705fb 100644 (file)
@@ -2289,6 +2289,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
                struct v4l2_ext_controls *ctrls = parg;
 
                if (ctrls->count != 0) {
+                       if (ctrls->count > V4L2_CID_MAX_CTRLS) {
+                               ret = -EINVAL;
+                               break;
+                       }
                        *user_ptr = (void __user *)ctrls->controls;
                        *kernel_ptr = (void **)&ctrls->controls;
                        *array_size = sizeof(struct v4l2_ext_control)
index 8a4c309d23444450a13a9e675cdc51e4a14376f4..eeeda13b4d53c85e16e4dd5dac103c5eeb3c7392 100644 (file)
@@ -1075,6 +1075,7 @@ struct v4l2_querymenu {
 #define V4L2_CTRL_FLAG_NEXT_CTRL       0x80000000
 
 /*  User-class control IDs defined by V4L2 */
+#define V4L2_CID_MAX_CTRLS             1024
 #define V4L2_CID_BASE                  (V4L2_CTRL_CLASS_USER | 0x900)
 #define V4L2_CID_USER_BASE             V4L2_CID_BASE
 /*  IDs reserved for driver specific controls */