Commit 3ad29019 authored by Dan Carpenter's avatar Dan Carpenter Committed by Mauro Carvalho Chehab
Browse files

media: atomisp: prevent integer overflow in sh_css_set_black_frame()

The "height" and "width" values come from the user so the "height * width"
multiplication can overflow.

Link: https://lore.kernel.org/r/YxBBCRnm3mmvaiuR@kili



Fixes: a49d2536 ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
parent ba6856aa
Loading
Loading
Loading
Loading
+2 −2
Original line number Diff line number Diff line
@@ -950,8 +950,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream,
		params->fpn_config.data = NULL;
	}
	if (!params->fpn_config.data) {
		params->fpn_config.data = kvmalloc(height * width *
						   sizeof(short), GFP_KERNEL);
		params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)),
						   GFP_KERNEL);
		if (!params->fpn_config.data) {
			IA_CSS_ERROR("out of memory");
			IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);