Re: [PATCH] fix for potential integer overflow in zoran driver

[Dave Jones]

On Mon, Apr 12, 2004 at 10:02:37PM +0000, Linux Kernel wrote:
 > ChangeSet 1.2126, 2004/04/12 15:02:37-07:00, akpm@xxxxxxxx
 > 
 > 	[PATCH] fix for potential integer overflow in zoran driver
 > 	
 > 	From: "Ronald S. Bultje" <R.S.Bultje@xxxxxxxxxxxxxx>
 > 	
 > 	Attached patch fixes a potential integer overflow in zoran_procs.c (part of
 > 	the zr36067 driver).  Bug was detected by Ken Ashcraft with the Stanford
 > 	checker.
 > 
 > --- a/drivers/media/video/zoran_procfs.c	Tue Apr 13 14:07:59 2004
 > +++ b/drivers/media/video/zoran_procfs.c	Tue Apr 13 14:07:59 2004
 > @@ -204,6 +204,10 @@
 >  	char *line, *ldelim, *varname, *svar, *tdelim;
 >  	struct zoran *zr;
 >  
 > +	/* Random maximum */
 > +	if (count > 256)
 > +		return -EINVAL;
 > +
 >  	zr = (struct zoran *) data;
 >  
 >  	string = sp = vmalloc(count + 1);

2.4 already had this fixed, but uses a somewhat larger value to clip at.
For uniformity sake, perhaps they should be the same ?
Patch below makes it match 2.4-bk

		Dave


--- bk-linus/drivers/media/video/zoran_procfs.c~	2004-04-13 22:15:35.000000000 +0100
+++ bk-linus/drivers/media/video/zoran_procfs.c	2004-04-13 22:15:58.000000000 +0100
@@ -204,8 +204,7 @@
 	char *line, *ldelim, *varname, *svar, *tdelim;
 	struct zoran *zr;
 
-	/* Random maximum */
-	if (count > 256)
+	if (count > 32768)	/* Stupidity filter */
 		return -EINVAL;
 
 	zr = (struct zoran *) data;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/