* [PATCH] media: atomisp: prevent integer overflow in sh_css_set_black_frame()
@ 2022-09-01 5:20 Dan Carpenter
2022-09-01 8:26 ` Hans de Goede
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2022-09-01 5:20 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Sakari Ailus, Greg Kroah-Hartman, Andy Shevchenko, Hans de Goede,
linux-media, linux-staging, kernel-janitors
The "height" and "width" values come from the user so the "height * width"
multiplication can overflow.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/staging/media/atomisp/pci/sh_css_params.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
index 0e7c38b2bfe3..67915d76a87f 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
+++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
@@ -950,8 +950,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream,
params->fpn_config.data = NULL;
}
if (!params->fpn_config.data) {
- params->fpn_config.data = kvmalloc(height * width *
- sizeof(short), GFP_KERNEL);
+ params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)),
+ GFP_KERNEL);
if (!params->fpn_config.data) {
IA_CSS_ERROR("out of memory");
IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);
--
2.35.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] media: atomisp: prevent integer overflow in sh_css_set_black_frame()
2022-09-01 5:20 [PATCH] media: atomisp: prevent integer overflow in sh_css_set_black_frame() Dan Carpenter
@ 2022-09-01 8:26 ` Hans de Goede
0 siblings, 0 replies; 2+ messages in thread
From: Hans de Goede @ 2022-09-01 8:26 UTC (permalink / raw)
To: Dan Carpenter, Mauro Carvalho Chehab
Cc: Sakari Ailus, Greg Kroah-Hartman, Andy Shevchenko, linux-media,
linux-staging, kernel-janitors
Hi,
On 9/1/22 07:20, Dan Carpenter wrote:
> The "height" and "width" values come from the user so the "height * width"
> multiplication can overflow.
>
> Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Thanks, patch looks good to me:
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
I'll also add this to my set of pending atomisp2 cleanup patches
so that the next time I test the atomisp2 with my local tree
this will also get tested.
Regards,
Hans
> ---
> drivers/staging/media/atomisp/pci/sh_css_params.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
> index 0e7c38b2bfe3..67915d76a87f 100644
> --- a/drivers/staging/media/atomisp/pci/sh_css_params.c
> +++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
> @@ -950,8 +950,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream,
> params->fpn_config.data = NULL;
> }
> if (!params->fpn_config.data) {
> - params->fpn_config.data = kvmalloc(height * width *
> - sizeof(short), GFP_KERNEL);
> + params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)),
> + GFP_KERNEL);
> if (!params->fpn_config.data) {
> IA_CSS_ERROR("out of memory");
> IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-01 8:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-01 5:20 [PATCH] media: atomisp: prevent integer overflow in sh_css_set_black_frame() Dan Carpenter
2022-09-01 8:26 ` Hans de Goede
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).