From: Dan Carpenter <dan.carpenter@oracle.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-media@vger.kernel.org, devel@driverdev.osuosl.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH] media: davinci_vpfe: fix some potential overflows
Date: Fri, 20 Apr 2018 10:09:27 +0000 [thread overview]
Message-ID: <20180420100927.GA30237@mwanda> (raw)
We check "lutdpc->dpc_size" in ipipe_validate_lutdpc_params() but if
it's invalid then we would have corrupted memory already when we do
the memcpy() before calling it.
We don't ever check "gamma->tbl_size" but we should since they come from
the user.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/media/davinci_vpfe/dm365_ipipe.c b/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
index 95942768639c..068b3333e224 100644
--- a/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
+++ b/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
@@ -82,6 +82,8 @@ static int ipipe_set_lutdpc_params(struct vpfe_ipipe_device *ipipe, void *param)
lutdpc->en = dpc_param->en;
lutdpc->repl_white = dpc_param->repl_white;
lutdpc->dpc_size = dpc_param->dpc_size;
+ if (dpc_param->dpc_size > LUT_DPC_MAX_SIZE)
+ return -EINVAL;
memcpy(&lutdpc->table, &dpc_param->table,
(dpc_param->dpc_size * sizeof(struct vpfe_ipipe_lutdpc_entry)));
if (ipipe_validate_lutdpc_params(lutdpc) < 0)
@@ -591,7 +593,7 @@ ipipe_validate_gamma_entry(struct vpfe_ipipe_gamma_entry *table, int size)
static int
ipipe_validate_gamma_params(struct vpfe_ipipe_gamma *gamma, struct device *dev)
{
- int table_size;
+ unsigned int table_size;
int err;
if (gamma->bypass_r > 1 ||
@@ -603,6 +605,8 @@ ipipe_validate_gamma_params(struct vpfe_ipipe_gamma *gamma, struct device *dev)
return 0;
table_size = gamma->tbl_size;
+ if (table_size > VPFE_IPIPE_MAX_SIZE_GAMMA)
+ return -EINVAL;
if (!gamma->bypass_r) {
err = ipipe_validate_gamma_entry(gamma->table_r, table_size);
if (err) {
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-media@vger.kernel.org, devel@driverdev.osuosl.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH] media: davinci_vpfe: fix some potential overflows
Date: Fri, 20 Apr 2018 13:09:27 +0300 [thread overview]
Message-ID: <20180420100927.GA30237@mwanda> (raw)
We check "lutdpc->dpc_size" in ipipe_validate_lutdpc_params() but if
it's invalid then we would have corrupted memory already when we do
the memcpy() before calling it.
We don't ever check "gamma->tbl_size" but we should since they come from
the user.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/media/davinci_vpfe/dm365_ipipe.c b/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
index 95942768639c..068b3333e224 100644
--- a/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
+++ b/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
@@ -82,6 +82,8 @@ static int ipipe_set_lutdpc_params(struct vpfe_ipipe_device *ipipe, void *param)
lutdpc->en = dpc_param->en;
lutdpc->repl_white = dpc_param->repl_white;
lutdpc->dpc_size = dpc_param->dpc_size;
+ if (dpc_param->dpc_size > LUT_DPC_MAX_SIZE)
+ return -EINVAL;
memcpy(&lutdpc->table, &dpc_param->table,
(dpc_param->dpc_size * sizeof(struct vpfe_ipipe_lutdpc_entry)));
if (ipipe_validate_lutdpc_params(lutdpc) < 0)
@@ -591,7 +593,7 @@ ipipe_validate_gamma_entry(struct vpfe_ipipe_gamma_entry *table, int size)
static int
ipipe_validate_gamma_params(struct vpfe_ipipe_gamma *gamma, struct device *dev)
{
- int table_size;
+ unsigned int table_size;
int err;
if (gamma->bypass_r > 1 ||
@@ -603,6 +605,8 @@ ipipe_validate_gamma_params(struct vpfe_ipipe_gamma *gamma, struct device *dev)
return 0;
table_size = gamma->tbl_size;
+ if (table_size > VPFE_IPIPE_MAX_SIZE_GAMMA)
+ return -EINVAL;
if (!gamma->bypass_r) {
err = ipipe_validate_gamma_entry(gamma->table_r, table_size);
if (err) {
next reply other threads:[~2018-04-20 10:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-20 10:09 Dan Carpenter [this message]
2018-04-20 10:09 ` [PATCH] media: davinci_vpfe: fix some potential overflows Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180420100927.GA30237@mwanda \
--to=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.