November 2011 22:32:25 Haogang Chen wrote:
>> There is a potential integer overflow in uvc_ioctl_ctrl_map(). When a
>> large xmap->menu_count is passed from the userspace, the subsequent call
>> to kmalloc() will allocate a buffer smaller than expected.
>> map->menu_count a
v4l2_ctrl), which leads to out-of-bound access.
The patch checks the ioctl argument and returns -EINVAL for zero or too
large values in xmap->menu_count.
Signed-off-by: Haogang Chen
---
drivers/media/video/uvc/uvc_v4l2.c |6 ++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --g
