From patchwork Thu Sep 1 09:46:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans de Goede X-Patchwork-Id: 602595 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 437A8ECAAD1 for ; Thu, 1 Sep 2022 09:47:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233890AbiIAJrY (ORCPT ); Thu, 1 Sep 2022 05:47:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233928AbiIAJrR (ORCPT ); Thu, 1 Sep 2022 05:47:17 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3416F128573 for ; Thu, 1 Sep 2022 02:47:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1662025635; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BBZNQN20GJ5gJTsV+zOCii6EVt4/u4E3xjRjECI9efQ=; b=bE47PN2tRZBq6pbjhaxzMzSJ4ZRlPvSwelGKLahWObWvolKHKxv2tzQIeNlasHqBBaV3Ud XlBqjJBYEYNweySkjldK9LSpSa56yZBWUaesxybarkeeNiQilmoOu/pgtD6TtL1ccRCBtp O39K4vbNIJd58nalm/OdBvZui9MYG/k= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-37-r6uzPst8N5qj6zp0u4cMMQ-1; Thu, 01 Sep 2022 05:47:14 -0400 X-MC-Unique: r6uzPst8N5qj6zp0u4cMMQ-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7E6452803BC9; Thu, 1 Sep 2022 09:47:02 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.195.90]) by smtp.corp.redhat.com (Postfix) with ESMTP id CF896403344; Thu, 1 Sep 2022 09:47:00 +0000 (UTC) From: Hans de Goede To: Mauro Carvalho Chehab , Sakari Ailus Cc: Hans de Goede , Tsuchiya Yuto , Andy Shevchenko , Yury Luneff , Nable , andrey.i.trufanov@gmail.com, Fabio Aiuto , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, Dan Carpenter Subject: [PATCH 14/14] media: atomisp: prevent integer overflow in sh_css_set_black_frame() Date: Thu, 1 Sep 2022 11:46:26 +0200 Message-Id: <20220901094626.11513-15-hdegoede@redhat.com> In-Reply-To: <20220901094626.11513-1-hdegoede@redhat.com> References: <20220901094626.11513-1-hdegoede@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org From: Dan Carpenter The "height" and "width" values come from the user so the "height * width" multiplication can overflow. Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YxBBCRnm3mmvaiuR@kili Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede --- drivers/staging/media/atomisp/pci/sh_css_params.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c index 0e7c38b2bfe3..67915d76a87f 100644 --- a/drivers/staging/media/atomisp/pci/sh_css_params.c +++ b/drivers/staging/media/atomisp/pci/sh_css_params.c @@ -950,8 +950,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream, params->fpn_config.data = NULL; } if (!params->fpn_config.data) { - params->fpn_config.data = kvmalloc(height * width * - sizeof(short), GFP_KERNEL); + params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)), + GFP_KERNEL); if (!params->fpn_config.data) { IA_CSS_ERROR("out of memory"); IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);