| Message ID | YxBBCRnm3mmvaiuR@kili (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | media: atomisp: prevent integer overflow in sh_css_set_black_frame() | expand |
Hi, On 9/1/22 07:20, Dan Carpenter wrote: > The "height" and "width" values come from the user so the "height * width" > multiplication can overflow. > > Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks, patch looks good to me: Reviewed-by: Hans de Goede <hdegoede@redhat.com> I'll also add this to my set of pending atomisp2 cleanup patches so that the next time I test the atomisp2 with my local tree this will also get tested. Regards, Hans > --- > drivers/staging/media/atomisp/pci/sh_css_params.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c > index 0e7c38b2bfe3..67915d76a87f 100644 > --- a/drivers/staging/media/atomisp/pci/sh_css_params.c > +++ b/drivers/staging/media/atomisp/pci/sh_css_params.c > @@ -950,8 +950,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream, > params->fpn_config.data = NULL; > } > if (!params->fpn_config.data) { > - params->fpn_config.data = kvmalloc(height * width * > - sizeof(short), GFP_KERNEL); > + params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)), > + GFP_KERNEL); > if (!params->fpn_config.data) { > IA_CSS_ERROR("out of memory"); > IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);
diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c index 0e7c38b2bfe3..67915d76a87f 100644 --- a/drivers/staging/media/atomisp/pci/sh_css_params.c +++ b/drivers/staging/media/atomisp/pci/sh_css_params.c @@ -950,8 +950,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream, params->fpn_config.data = NULL; } if (!params->fpn_config.data) { - params->fpn_config.data = kvmalloc(height * width * - sizeof(short), GFP_KERNEL); + params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)), + GFP_KERNEL); if (!params->fpn_config.data) { IA_CSS_ERROR("out of memory"); IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);
The "height" and "width" values come from the user so the "height * width" multiplication can overflow. Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/staging/media/atomisp/pci/sh_css_params.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)