[PATCH] [media] zoran: fix integer overflow in setup_window()

Mon, 09 Apr 2012 14:16:47 -0700 

`clipcount' is from userspace and thus needs validation.  Otherwise,
a large `clipcount' could overflow the vmalloc() size, leading to
out-of-bounds access.

| setup_window()
| zoran_s_fmt_vid_overlay()
| __video_do_ioctl()
| video_ioctl2()

Use 2048 as the maximum `clipcount'.  Also change the corresponding
parameter type to `unsigned int'.

Signed-off-by: Xi Wang <xi.w...@gmail.com>
---
The upper bound `2048' is from get_v4l2_window32() in
drivers/media/video/v4l2-ioctl.c.

bt8xx and saa7134 also use the bound for `clipcount'.
---
 drivers/media/video/zoran/zoran_driver.c |   20 +++++++++++++++++---
 1 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/drivers/media/video/zoran/zoran_driver.c 
b/drivers/media/video/zoran/zoran_driver.c
index 4c09ab7..c573109 100644
--- a/drivers/media/video/zoran/zoran_driver.c
+++ b/drivers/media/video/zoran/zoran_driver.c
@@ -1131,8 +1131,14 @@ static int setup_fbuffer(struct zoran_fh *fh,
 }
 
 
-static int setup_window(struct zoran_fh *fh, int x, int y, int width, int 
height,
-       struct v4l2_clip __user *clips, int clipcount, void __user *bitmap)
+static int setup_window(struct zoran_fh *fh,
+                       int x,
+                       int y,
+                       int width,
+                       int height,
+                       struct v4l2_clip __user *clips,
+                       unsigned int clipcount,
+                       void __user *bitmap)
 {
        struct zoran *zr = fh->zr;
        struct v4l2_clip *vcp = NULL;
@@ -1155,6 +1161,14 @@ static int setup_window(struct zoran_fh *fh, int x, int 
y, int width, int height
                return -EINVAL;
        }
 
+       if (clipcount > 2048) {
+               dprintk(1,
+                       KERN_ERR
+                       "%s: %s - invalid clipcount\n",
+                        ZR_DEVNAME(zr), __func__);
+               return -EINVAL;
+       }
+
        /*
         * The video front end needs 4-byte alinged line sizes, we correct that
         * silently here if necessary
@@ -1218,7 +1232,7 @@ static int setup_window(struct zoran_fh *fh, int x, int 
y, int width, int height
                                   (width * height + 7) / 8)) {
                        return -EFAULT;
                }
-       } else if (clipcount > 0) {
+       } else if (clipcount) {
                /* write our own bitmap from the clips */
                vcp = vmalloc(sizeof(struct v4l2_clip) * (clipcount + 4));
                if (vcp == NULL) {
-- 
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to