diff options
author | Haogang Chen <haogangchen@gmail.com> | 2011-11-29 18:32:25 -0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2012-01-25 16:13:34 -0800 |
commit | 053ae10f55886546a5974d9d75a041ff2cea0cbd (patch) | |
tree | 15eaa043a5d70369fd8fc5fb34865f0298dfdab5 /include | |
parent | 29ea3528d4b52b185aa86c13dea50dfb98ff6870 (diff) |
uvcvideo: Fix integer overflow in uvc_ioctl_ctrl_map()
commit 806e23e95f94a27ee445022d724060b9b45cb64a upstream.
There is a potential integer overflow in uvc_ioctl_ctrl_map(). When a
large xmap->menu_count is passed from the userspace, the subsequent call
to kmalloc() will allocate a buffer smaller than expected.
map->menu_count and map->menu_info would later be used in a loop (e.g.
in uvc_query_v4l2_ctrl), which leads to out-of-bound access.
The patch checks the ioctl argument and returns -EINVAL for zero or too
large values in xmap->menu_count.
Signed-off-by: Haogang Chen <haogangchen@gmail.com>
[laurent.pinchart@ideasonboard.com Prevent excessive memory consumption]
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions