From e26a5d3bf2ff9b88bee4e31181052c52d09c950e Mon Sep 17 00:00:00 2001
From: Ding Wei <leo.ding@rock-chips.com>
Date: Tue, 23 Feb 2021 16:13:00 +0800
Subject: [PATCH] video: rockchip: mpp: overflow issue when copy_from_user

when cnt is more than codec_info size, then it may be overflow risk.

Change-Id: I7352118f425ccf263df0083c21ef0433f2322a43
Signed-off-by: Ding Wei <leo.ding@rock-chips.com>
---
 drivers/video/rockchip/mpp/mpp_rkvenc.c | 1 +
 drivers/video/rockchip/mpp/mpp_vepu1.c  | 1 +
 drivers/video/rockchip/mpp/mpp_vepu2.c  | 1 +
 3 files changed, 3 insertions(+)

diff --git a/drivers/video/rockchip/mpp/mpp_rkvenc.c b/drivers/video/rockchip/mpp/mpp_rkvenc.c
index d7fe1ba6a944..3cd4de229873 100644
--- a/drivers/video/rockchip/mpp/mpp_rkvenc.c
+++ b/drivers/video/rockchip/mpp/mpp_rkvenc.c
@@ -659,6 +659,7 @@ static int rkvenc_control(struct mpp_session *session, struct mpp_request *req)
 		priv = session->priv;
 
 		cnt = req->size / sizeof(elem);
+		cnt = (cnt > ENC_INFO_BUTT) ? ENC_INFO_BUTT : cnt;
 		mpp_debug(DEBUG_IOCTL, "codec info count %d\n", cnt);
 		for (i = 0; i < cnt; i++) {
 			if (copy_from_user(&elem, req->data + i * sizeof(elem), sizeof(elem))) {
diff --git a/drivers/video/rockchip/mpp/mpp_vepu1.c b/drivers/video/rockchip/mpp/mpp_vepu1.c
index 86ee2ffba3ed..58619e917b8e 100644
--- a/drivers/video/rockchip/mpp/mpp_vepu1.c
+++ b/drivers/video/rockchip/mpp/mpp_vepu1.c
@@ -410,6 +410,7 @@ static int vepu_control(struct mpp_session *session, struct mpp_request *req)
 		priv = session->priv;
 
 		cnt = req->size / sizeof(elem);
+		cnt = (cnt > ENC_INFO_BUTT) ? ENC_INFO_BUTT : cnt;
 		mpp_debug(DEBUG_IOCTL, "codec info count %d\n", cnt);
 		down_write(&priv->rw_sem);
 		for (i = 0; i < cnt; i++) {
diff --git a/drivers/video/rockchip/mpp/mpp_vepu2.c b/drivers/video/rockchip/mpp/mpp_vepu2.c
index af896645c8cd..f89b0ce05b2f 100644
--- a/drivers/video/rockchip/mpp/mpp_vepu2.c
+++ b/drivers/video/rockchip/mpp/mpp_vepu2.c
@@ -434,6 +434,7 @@ static int vepu_control(struct mpp_session *session, struct mpp_request *req)
 		priv = session->priv;
 
 		cnt = req->size / sizeof(elem);
+		cnt = (cnt > ENC_INFO_BUTT) ? ENC_INFO_BUTT : cnt;
 		mpp_debug(DEBUG_IOCTL, "codec info count %d\n", cnt);
 		for (i = 0; i < cnt; i++) {
 			if (copy_from_user(&elem, req->data + i * sizeof(elem), sizeof(elem))) {