media: v4l2-compat-ioctl32: prevent go past max size

BugLink: http://bugs.launchpad.net/bugs/1807469
commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream.

As warned by smatch:
	drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'

The access_ok() logic should check for too big arrays too.

Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 6730fd08ef038f5face449d8d592f7f243ba98a2..e159dfc21279cdafb729f7ccc281da3a400b4eab 100644 (file)
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -871,7 +871,7 @@ static int put_v4l2_ext_controls32(struct file *file,
            get_user(kcontrols, &kp->controls))
                return -EFAULT;
 
-       if (!count)
+       if (!count || count > (U32_MAX/sizeof(*ucontrols)))
                return 0;
        if (get_user(p, &up->controls))
                return -EFAULT;