| commit | bb9b57cc544d4c6a88a370338783c1390815d7ed | |
| author | Dan Carpenter <dan.carpenter@oracle.com> | |
| Thu, 5 Jan 2012 05:27:57 +0000 (5 02:27 -0300) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Thu, 26 Jan 2012 00:13:29 +0000 (25 16:13 -0800) | ||
| tree | 58a3cbf829f7a394b3612d4243de8bbd33436388 | treesnapshot (tar.gz zip) |
| parent | 37cd47c536d36a5bd5c7e9b83960aa5913758fec | commitdiff |
V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.
If ctrls->count is too high the multiplication could overflow and
array_size would be lower than expected. Mauro and Hans Verkuil
suggested that we cap it at 1024. That comes from the maximum
number of controls with lots of room for expantion.
$ grep V4L2_CID include/linux/videodev2.h | wc -l
211
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.
If ctrls->count is too high the multiplication could overflow and
array_size would be lower than expected. Mauro and Hans Verkuil
suggested that we cap it at 1024. That comes from the maximum
number of controls with lots of room for expantion.
$ grep V4L2_CID include/linux/videodev2.h | wc -l
211
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| drivers/media/video/v4l2-ioctl.c | diffblobblamehistory | |
| include/linux/videodev2.h | diffblobblamehistory |