[media] v4l2-ctrls: fix integer overflow in v4l2_g_ext_ctrls()

A large cs->count from userspace may overflow the allocation size, leading to memory corruption. v4l2_g_ext_ctrls() can be reached from subdev_do_ioctl() or __video_do_ioctl(). Use kmalloc_array() to avoid the overflow. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

[media] v4l2-ctrls: fix integer overflow in v4l2_g_ext_ctrls()
A large cs->count from userspace may overflow the allocation size, leading to memory corruption. v4l2_g_ext_ctrls() can be reached from subdev_do_ioctl() or __video_do_ioctl(). Use kmalloc_array() to avoid the overflow. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
5f0049bd · Xi Wang · Mauro Carvalho Chehab · 30059d93 · 5f0049bd
Commit 5f0049bd authored Apr 06, 2012 by Xi Wang Committed by Mauro Carvalho Chehab Apr 18, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/media/video/v4l2-ctrls.c drivers/media/video/v4l2-ctrls.c +2 -1

No files found.
--- a/drivers/media/video/v4l2-ctrls.c
+++ b/drivers/media/video/v4l2-ctrls.c
@@ -2036,7 +2036,8 @@ int v4l2_g_ext_ctrls(struct v4l2_ctrl_handler *hdl, struct v4l2_ext_controls *cs
 		return class_check(hdl, cs->ctrl_class);

 	if (cs->count > ARRAY_SIZE(helper)) {
-		helpers = kmalloc(sizeof(helper[0]) * cs->count, GFP_KERNEL);
+		helpers = kmalloc_array(cs->count, sizeof(helper[0]),
+					GFP_KERNEL);
 		if (helpers == NULL)
 			return -ENOMEM;
 	}