diff options
author | Robb Glasser <rglasser@google.com> | 2017-04-12 14:41:58 +0200 |
---|---|---|
committer | Bertolin, PierreX <pierrex.bertolin@intel.com> | 2017-04-26 02:20:37 -0700 |
commit | 482994302c9242141e2f5cc11f0020d8c45f8bce (patch) | |
tree | a92d881dea66613419c5d2011d289e51d684b478 | |
parent | 9a9ff2085866be6ca0df34d5d64811130bc3cca3 (diff) | |
download | x86-482994302c9242141e2f5cc11f0020d8c45f8bce.tar.gz |
Prevent heap overflow in uvc driver
The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.
Bug: 33300353
Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5093
Signed-off-by: Robb Glasser <rglasser@google.com>
Reviewed-on: https://android.intel.com/577976
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
-rw-r--r-- | drivers/media/usb/uvc/uvc_ctrl.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 3e59b288b8a8..57d2f89350d2 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1991,6 +1991,9 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain, if (!found) return -ENOENT; + if (ctrl->info.size < mapping->size) + return -EINVAL; + if (mutex_lock_interruptible(&chain->ctrl_mutex)) return -ERESTARTSYS; |