Re: [PATCH] media: atomisp: prevent integer overflow in sh_css_set_black_frame()

Hans de Goede <hdegoede@xxxxxxxxxx> · Thu, 1 Sep 2022 10:26:00 +0200

Hi,

On 9/1/22 07:20, Dan Carpenter wrote:
> The "height" and "width" values come from the user so the "height * width"
> multiplication can overflow.
> 
> Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Thanks, patch looks good to me:

Reviewed-by: Hans de Goede <hdegoede@xxxxxxxxxx>

I'll also add this to my set of pending atomisp2 cleanup patches
so that the next time I test the atomisp2 with my local tree
this will also get tested.

Regards,

Hans

> ---
>  drivers/staging/media/atomisp/pci/sh_css_params.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
> index 0e7c38b2bfe3..67915d76a87f 100644
> --- a/drivers/staging/media/atomisp/pci/sh_css_params.c
> +++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
> @@ -950,8 +950,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream,
>  		params->fpn_config.data = NULL;
>  	}
>  	if (!params->fpn_config.data) {
> -		params->fpn_config.data = kvmalloc(height * width *
> -						   sizeof(short), GFP_KERNEL);
> +		params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)),
> +						   GFP_KERNEL);
>  		if (!params->fpn_config.data) {
>  			IA_CSS_ERROR("out of memory");
>  			IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);