[media] zoran: fix integer overflow in setup_window()

`clipcount' is from userspace and thus needs validation. Otherwise, a large `clipcount' could overflow the vmalloc() size, leading to out-of-bounds access. | setup_window() | zoran_s_fmt_vid_overlay() | __video_do_ioctl() | video_ioctl2() Use 2048 as the maximum `clipcount'. Also change the corresponding parameter type to `unsigned int'. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
git-mirror · Apr 19, 2012 · 32898a1 · 32898a1
1 parent 3fc82fa
commit 32898a1
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/drivers/media/video/zoran/zoran_driver.c b/drivers/media/video/zoran/zoran_driver.c
@@ -1131,8 +1131,14 @@ static int setup_fbuffer(struct zoran_fh *fh,
 }
 
 
-static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height,
-	struct v4l2_clip __user *clips, int clipcount, void __user *bitmap)
+static int setup_window(struct zoran_fh *fh,
+			int x,
+			int y,
+			int width,
+			int height,
+			struct v4l2_clip __user *clips,
+			unsigned int clipcount,
+			void __user *bitmap)
 {
 	struct zoran *zr = fh->zr;
 	struct v4l2_clip *vcp = NULL;
@@ -1155,6 +1161,14 @@ static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height
 		return -EINVAL;
 	}
 
+	if (clipcount > 2048) {
+		dprintk(1,
+			KERN_ERR
+			"%s: %s - invalid clipcount\n",
+			 ZR_DEVNAME(zr), __func__);
+		return -EINVAL;
+	}
+
 	/*
 	 * The video front end needs 4-byte alinged line sizes, we correct that
 	 * silently here if necessary
@@ -1218,7 +1232,7 @@ static int setup_window(struct zoran_fh *fh, int x, int y, int width, int height
 				   (width * height + 7) / 8)) {
 			return -EFAULT;
 		}
-	} else if (clipcount > 0) {
+	} else if (clipcount) {
 		/* write our own bitmap from the clips */
 		vcp = vmalloc(sizeof(struct v4l2_clip) * (clipcount + 4));
 		if (vcp == NULL) {