Haogang Chen 806e23e95f [media] uvcvideo: Fix integer overflow in uvc_ioctl_ctrl_map() ... There is a potential integer overflow in uvc_ioctl_ctrl_map(). When a large xmap->menu_count is passed from the userspace, the subsequent call to kmalloc() will allocate a buffer smaller than expected. map->menu_count and map->menu_info would later be used in a loop (e.g. in uvc_query_v4l2_ctrl), which leads to out-of-bound access. The patch checks the ioctl argument and returns -EINVAL for zero or too large values in xmap->menu_count. Signed-off-by: Haogang Chen <haogangchen@gmail.com> [laurent.pinchart@ideasonboard.com Prevent excessive memory consumption] Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Cc: stable@kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>		2011-12-11 11:23:54 -02:00
..
Kconfig	[media] uvcvideo: Use videobuf2-vmalloc	2011-12-11 11:13:06 -02:00
Makefile	[media] uvcvideo: Add debugfs support	2011-12-11 11:22:07 -02:00
uvc_ctrl.c	[media] uvcvideo: Ignore GET_RES error for XU controls	2011-12-11 11:15:01 -02:00
uvc_debugfs.c	[media] uvcvideo: Extract video stream statistics	2011-12-11 11:22:08 -02:00
uvc_driver.c	[media] uvcvideo: Add debugfs support	2011-12-11 11:22:07 -02:00
uvc_entity.c	[media] uvcvideo: Fix crash when linking entities	2011-09-21 22:18:07 -03:00
uvc_isight.c	[media] uvcvideo: Move fields from uvc_buffer::buf to uvc_buffer	2011-12-11 11:12:05 -02:00
uvc_queue.c	[media] uvcvideo: Add UVC timestamps support	2011-12-11 11:23:30 -02:00
uvc_status.c	[media] uvcvideo: Update e-mail address and copyright notices	2010-10-21 01:18:18 -02:00
uvc_v4l2.c	[media] uvcvideo: Fix integer overflow in uvc_ioctl_ctrl_map()	2011-12-11 11:23:54 -02:00
uvc_video.c	[media] uvcvideo: Add UVC timestamps support	2011-12-11 11:23:30 -02:00
uvcvideo.h	[media] uvcvideo: Fix integer overflow in uvc_ioctl_ctrl_map()	2011-12-11 11:23:54 -02:00