shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 11:26:02 +09:00
Code Issues Packages Projects Releases Wiki Activity

video: rockchip: mpp: overflow issue when copy_from_user

Browse Source 
when cnt is more than codec_info size, then it may be overflow risk.

Change-Id: I7352118f425ccf263df0083c21ef0433f2322a43
Signed-off-by: Ding Wei <leo.ding@rock-chips.com>
This commit is contained in:
Ding Wei
2021-02-23 16:13:00 +08:00
parent 9e2373210d
commit e26a5d3bf2
3 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
drivers/video/rockchip/mpp/mpp_rkvenc.c
View File

@@ -659,6 +659,7 @@ static int rkvenc_control(struct mpp_session *session, struct mpp_request *req)
priv = session->priv;
cnt = req->size / sizeof(elem);
cnt = (cnt > ENC_INFO_BUTT) ? ENC_INFO_BUTT : cnt;
mpp_debug(DEBUG_IOCTL, "codec info count %d\n", cnt);
for (i = 0; i < cnt; i++) {
if (copy_from_user(&elem, req->data + i * sizeof(elem), sizeof(elem))) {

1
drivers/video/rockchip/mpp/mpp_vepu1.c
View File

@@ -410,6 +410,7 @@ static int vepu_control(struct mpp_session *session, struct mpp_request *req)
priv = session->priv;
cnt = req->size / sizeof(elem);
cnt = (cnt > ENC_INFO_BUTT) ? ENC_INFO_BUTT : cnt;
mpp_debug(DEBUG_IOCTL, "codec info count %d\n", cnt);
down_write(&priv->rw_sem);
for (i = 0; i < cnt; i++) {

1
drivers/video/rockchip/mpp/mpp_vepu2.c
View File

@@ -434,6 +434,7 @@ static int vepu_control(struct mpp_session *session, struct mpp_request *req)
priv = session->priv;
cnt = req->size / sizeof(elem);
cnt = (cnt > ENC_INFO_BUTT) ? ENC_INFO_BUTT : cnt;
mpp_debug(DEBUG_IOCTL, "codec info count %d\n", cnt);
for (i = 0; i < cnt; i++) {
if (copy_from_user(&elem, req->data + i * sizeof(elem), sizeof(elem))) {