media: vivid: potential integer overflow in vidioc_g_edid()

If we pick a very large "edid->blocks" value then the "edid->start_block + edid->blocks" addition could wrap around. Fixes: ef834f78 ("[media] vivid: add the video capture and output parts") Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: N Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

media: vivid: potential integer overflow in vidioc_g_edid()
If we pick a very large "edid->blocks" value then the "edid->start_block + edid->blocks" addition could wrap around. Fixes: ef834f78 ("[media] vivid: add the video capture and output parts") Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: N Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
9329e7b0 · Dan Carpenter · Mauro Carvalho Chehab · a3d71f25 · 9329e7b0
显示空白变更内容
内联并排

Showing with 1 addition and 1 deletion

drivers/media/platform/vivid/vivid-vid-common.c drivers/media/platform/vivid/vivid-vid-common.c +1 -1

未找到文件。
--- a/drivers/media/platform/vivid/vivid-vid-common.c
+++ b/drivers/media/platform/vivid/vivid-vid-common.c
@@ -860,7 +860,7 @@ int vidioc_g_edid(struct file *file, void *_fh,
 		return -ENODATA;
 	if (edid->start_block >= dev->edid_blocks)
 		return -EINVAL;
-	if (edid->start_block + edid->blocks > dev->edid_blocks)
+	if (edid->blocks > dev->edid_blocks - edid->start_block)
 		edid->blocks = dev->edid_blocks - edid->start_block;
 	if (adap)
 		cec_set_edid_phys_addr(dev->edid, dev->edid_blocks * 128, adap->phys_addr);