From: Hans de Goede <hdegoede@redhat.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>,
Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: Hans de Goede <hdegoede@redhat.com>,
Tsuchiya Yuto <kitakar@gmail.com>,
Andy Shevchenko <andy@kernel.org>,
Yury Luneff <yury.lunev@gmail.com>,
Nable <nable.maininbox@googlemail.com>,
andrey.i.trufanov@gmail.com, Fabio Aiuto <fabioaiuto83@gmail.com>,
linux-media@vger.kernel.org, linux-staging@lists.linux.dev,
Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH 14/14] media: atomisp: prevent integer overflow in sh_css_set_black_frame()
Date: Thu, 1 Sep 2022 11:46:26 +0200 [thread overview]
Message-ID: <20220901094626.11513-15-hdegoede@redhat.com> (raw)
In-Reply-To: <20220901094626.11513-1-hdegoede@redhat.com>
From: Dan Carpenter <dan.carpenter@oracle.com>
The "height" and "width" values come from the user so the "height * width"
multiplication can overflow.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YxBBCRnm3mmvaiuR@kili
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
drivers/staging/media/atomisp/pci/sh_css_params.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
index 0e7c38b2bfe3..67915d76a87f 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
+++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
@@ -950,8 +950,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream,
params->fpn_config.data = NULL;
}
if (!params->fpn_config.data) {
- params->fpn_config.data = kvmalloc(height * width *
- sizeof(short), GFP_KERNEL);
+ params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)),
+ GFP_KERNEL);
if (!params->fpn_config.data) {
IA_CSS_ERROR("out of memory");
IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);
--
2.37.2
next prev parent reply other threads:[~2022-09-01 9:47 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 9:46 [PATCH 00/14] media: atomisp: More cleanups / code removal Hans de Goede
2022-09-01 9:46 ` [PATCH 01/14] media: atomisp: Fix device_caps reporting of the registered video-devs Hans de Goede
2022-09-01 9:46 ` [PATCH 02/14] media: atomisp: Remove file-injection support Hans de Goede
2022-09-01 9:46 ` [PATCH 03/14] media: atomisp: Remove atomisp_file_fops and atomisp_file_ioctl_ops Hans de Goede
2022-09-01 9:46 ` [PATCH 04/14] media: atomisp: Remove the outq videobuf queue Hans de Goede
2022-09-01 9:46 ` [PATCH 05/14] media: atomisp: Remove never set file_input flag Hans de Goede
2022-09-01 9:46 ` [PATCH 06/14] media: atomisp: Remove the ACC device node Hans de Goede
2022-09-01 9:46 ` [PATCH 07/14] media: atomisp: Remove some further ATOMISP_ACC_* related dead code Hans de Goede
2022-09-01 9:46 ` [PATCH 08/14] media: atomisp: Remove empty atomisp_css_set_cont_prev_start_time() function Hans de Goede
2022-09-01 9:46 ` [PATCH 09/14] media: atomisp: Split subdev and video-node registration into 2 steps Hans de Goede
2022-09-01 9:46 ` [PATCH 10/14] media: atomisp: Register /dev/* nodes at the end of atomisp_pci_probe() Hans de Goede
2022-09-01 19:56 ` Andy Shevchenko
2022-09-02 9:04 ` Hans de Goede
2022-09-02 9:10 ` Andy Shevchenko
2022-09-02 9:16 ` Andy Shevchenko
2022-09-01 9:46 ` [PATCH 11/14] media: atomisp: Remove loading mutex Hans de Goede
2022-09-01 9:46 ` [PATCH 12/14] media: atomisp: Fix v4l2_fh resource leak on open errors Hans de Goede
2022-09-01 9:46 ` [PATCH 13/14] media: atomisp: Simplify v4l2_fh_open() error handling Hans de Goede
2022-09-01 9:46 ` Hans de Goede [this message]
2022-09-01 15:08 ` [PATCH 00/14] media: atomisp: More cleanups / code removal Mauro Carvalho Chehab
2022-09-01 15:30 ` Hans de Goede
2022-09-01 19:59 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220901094626.11513-15-hdegoede@redhat.com \
--to=hdegoede@redhat.com \
--cc=andrey.i.trufanov@gmail.com \
--cc=andy@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=fabioaiuto83@gmail.com \
--cc=kitakar@gmail.com \
--cc=linux-media@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=mchehab@kernel.org \
--cc=nable.maininbox@googlemail.com \
--cc=sakari.ailus@linux.intel.com \
--cc=yury.lunev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.