From: Hans Verkuil <hans.verkuil@xxxxxxxxx>
The maximum size of an EDID is 32768 bytes, which is 32768 / 128 = 256 blocks.
Return -EINVAL if blocks > 256 to ensure that the memory allocation is sane.
Signed-off-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/media/v4l2-core/v4l2-ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
index 9d3e46c..a9af6f8 100644
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -2211,6 +2211,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
struct v4l2_subdev_edid *edid = parg;
if (edid->blocks) {
+ if (edid->blocks > 256) {
+ ret = -EINVAL;
+ break;
+ }
*user_ptr = (void __user *)edid->edid;
*kernel_ptr = (void *)&edid->edid;
*array_size = edid->blocks * 128;
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
