summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorHaogang Chen <haogangchen@gmail.com>2011-11-29 18:32:25 -0300
committerGreg Kroah-Hartman <gregkh@suse.de>2012-01-25 16:13:34 -0800
commit053ae10f55886546a5974d9d75a041ff2cea0cbd (patch)
tree15eaa043a5d70369fd8fc5fb34865f0298dfdab5 /include
parent29ea3528d4b52b185aa86c13dea50dfb98ff6870 (diff)
uvcvideo: Fix integer overflow in uvc_ioctl_ctrl_map()
commit 806e23e95f94a27ee445022d724060b9b45cb64a upstream. There is a potential integer overflow in uvc_ioctl_ctrl_map(). When a large xmap->menu_count is passed from the userspace, the subsequent call to kmalloc() will allocate a buffer smaller than expected. map->menu_count and map->menu_info would later be used in a loop (e.g. in uvc_query_v4l2_ctrl), which leads to out-of-bound access. The patch checks the ioctl argument and returns -EINVAL for zero or too large values in xmap->menu_count. Signed-off-by: Haogang Chen <haogangchen@gmail.com> [laurent.pinchart@ideasonboard.com Prevent excessive memory consumption] Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions