diff options
Diffstat (limited to 'drivers/video/omap2/dsscomp/device.c')
| -rw-r--r-- | drivers/video/omap2/dsscomp/device.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/drivers/video/omap2/dsscomp/device.c b/drivers/video/omap2/dsscomp/device.c index ec80ca51ae2..80cc21b7ce2 100644 --- a/drivers/video/omap2/dsscomp/device.c +++ b/drivers/video/omap2/dsscomp/device.c @@ -444,9 +444,18 @@ static long comp_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) { struct dsscomp_display_info *dis = NULL; r = copy_from_user(&u.dis, ptr, sizeof(u.dis)); - if (!r) + if (!r) { + /* impose a safe limit on modedb_len to prevent + * wrap around/overflow calculation of the alloced + * size that would make it smaller than + * struct dsscomp_display_info and cause heap + * corruption. + */ + u.dis.modedb_len = clamp_val(u.dis.modedb_len, 0, 256); + dis = kzalloc(sizeof(*dis->modedb) * u.dis.modedb_len + sizeof(*dis), GFP_KERNEL); + } if (dis) { *dis = u.dis; r = query_display(cdev, dis) ? : |