On Wed 26 September 2012 10:01:06 Dan Carpenter wrote:
> Hi Hans,
>
> The patch ed45ce2cc0b3: "[media] v4l2-subdev: add support for the new
> edid ioctls" from Aug 10, 2012, needs an overflow check the same as the
> other cases in that switch statement.
>
> drivers/media/v4l2-core/v4l2-ioctl.c
>
> 2200 case VIDIOC_SUBDEV_G_EDID:
> 2201 case VIDIOC_SUBDEV_S_EDID: {
> 2202 struct v4l2_subdev_edid *edid = parg;
> 2203
> 2204 if (edid->blocks) {
> 2205 *user_ptr = (void __user *)edid->edid;
> 2206 *kernel_ptr = (void *)&edid->edid;
> 2207 *array_size = edid->blocks * 128;
> ^^^^^^^^^^^^^^^^^^
> This can overflow.
>
> 2208 ret = 1;
> 2209 }
> 2210 break;
> 2211 }
True. Thanks for reporting this! I'll make a fix for it.
Regards,
Hans
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
