media: vivid: potential integer overflow in vidioc_g_edid()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If we pick a very large "edid->blocks" value then the "edid->start_block
+ edid->blocks" addition could wrap around.

Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts")

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

authored by

Dan Carpenter and committed by

Mauro Carvalho Chehab 7 years ago 9329e7b0 a3d71f25

+1 -1

1 changed file

expand all

drivers

media

platform

vivid

vivid-vid-common.c

+1 -1

drivers/media/platform/vivid/vivid-vid-common.c

··· 860 860 return -ENODATA; 861 861 if (edid->start_block >= dev->edid_blocks) 862 862 return -EINVAL; 863 - if (edid->start_block + edid->blocks > dev->edid_blocks) 863 + if (edid->blocks > dev->edid_blocks - edid->start_block) 864 864 edid->blocks = dev->edid_blocks - edid->start_block; 865 865 if (adap) 866 866 cec_set_edid_phys_addr(dev->edid, dev->edid_blocks * 128, adap->phys_addr);