V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()

commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream. If ctrls->count is too high the multiplication could overflow and array_size would be lower than expected. Mauro and Hans Verkuil suggested that we cap it at 1024. That comes from the maximum number of controls with lots of room for expantion. $ grep V4L2_CID include/linux/videodev2.h | wc -l 211 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Dan Carpenter <dan.carpenter@oracle.com> 2012-01-05 02:27:57 -0300
committer: Greg Kroah-Hartman <gregkh@suse.de> 2012-01-25 16:13:29 -0800
commit: bb9b57cc544d4c6a88a370338783c1390815d7ed (patch)
tree: 58a3cbf829f7a394b3612d4243de8bbd33436388 /include
parent: 37cd47c536d36a5bd5c7e9b83960aa5913758fec (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
index 4b752d5ee80e..45a769849b47 100644
--- a/include/linux/videodev2.h
+++ b/include/linux/videodev2.h
@@ -1131,6 +1131,7 @@ struct v4l2_querymenu {
 #define V4L2_CTRL_FLAG_NEXT_CTRL	0x80000000
 
 /*  User-class control IDs defined by V4L2 */
+#define V4L2_CID_MAX_CTRLS		1024
 #define V4L2_CID_BASE			(V4L2_CTRL_CLASS_USER | 0x900)
 #define V4L2_CID_USER_BASE 		V4L2_CID_BASE
 /*  IDs reserved for driver specific controls */
author	Dan Carpenter <dan.carpenter@oracle.com>	2012-01-05 02:27:57 -0300
committer	Greg Kroah-Hartman <gregkh@suse.de>	2012-01-25 16:13:29 -0800
commit	bb9b57cc544d4c6a88a370338783c1390815d7ed (patch)
tree	58a3cbf829f7a394b3612d4243de8bbd33436388 /include
parent	37cd47c536d36a5bd5c7e9b83960aa5913758fec (diff)