[PATCH v3] staging: atomisp: fix heap buffer overflow in framebuffer conversion

[PATCH v3] staging: atomisp: fix heap buffer overflow in framebuffer conversion

[Soufiane Dani via B4 Relay]

From: Soufiane Dani <soufianeda@tutanota.com>

Validate sizeimage against the allocated frame buffer size before
hmm_store() to prevent out-of-bounds write.

Signed-off-by: Soufiane Dani <soufianeda@tutanota.com>
---
Changes in v3:
-
-
- Link to v2: https://lore.kernel.org/r/20260210-atomisp-fix-v2-1-2e1e15f1b774@tutanota.com

Changes in v2:
- Resend with all recipients (v1 only reached sakari and linux-staging)
- Link to v1: https://lore.kernel.org/r/20260210-atomisp-fix-v1-1-024429cbff31@tutanota.com
---
 drivers/staging/media/atomisp/pci/atomisp_cmd.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
index 3a4eb4f6d3be..ca7ffc7855ac 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
@@ -3326,6 +3326,11 @@ atomisp_v4l2_framebuffer_to_css_frame(const struct v4l2_framebuffer *arg,
 		goto err;
 	}
 
+	if (arg->fmt.sizeimage > res->data_bytes) {
+		ret = -EINVAL;
+		goto err;
+	}
+
 	tmp_buf = vmalloc(arg->fmt.sizeimage);
 	if (!tmp_buf) {
 		ret = -ENOMEM;

---
base-commit: 72c395024dac5e215136cbff793455f065603b06
change-id: 20260210-atomisp-fix-8e083f753688

Best regards,
-- 
Soufiane Dani <soufianeda@tutanota.com>

Re: [PATCH v3] staging: atomisp: fix heap buffer overflow in framebuffer conversion

[Dan Carpenter]

On Tue, Feb 10, 2026 at 04:45:23PM +0100, Soufiane Dani via B4 Relay wrote:
> From: Soufiane Dani <soufianeda@tutanota.com>
> 
> Validate sizeimage against the allocated frame buffer size before
> hmm_store() to prevent out-of-bounds write.
> 
> Signed-off-by: Soufiane Dani <soufianeda@tutanota.com>
> ---

Same review comments as v1.  Please slow down on the resends.  There is
no need to rush.

regards,
dan carpenter