Re: [PATCH] media: synopsys: hdmirx: fix integer overflow in hdmirx_get_edid()
From: Dmitry Osipenko
Date: Thu Jan 08 2026 - 17:27:29 EST
On 1/8/26 23:03, Dan Carpenter wrote:
> The "edid->blocks" variable comes from the user via the ioctl. It's
> a u32 and "edid->start_block" is a u32 too. The addition operation
> could have an integer wrapping bug, so use the size_add() function to
> prevent that.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 7b59b132ad43 ("media: platform: synopsys: Add support for HDMI input driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/media/platform/synopsys/hdmirx/snps_hdmirx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/synopsys/hdmirx/snps_hdmirx.c b/drivers/media/platform/synopsys/hdmirx/snps_hdmirx.c
> index c3007e09bc9f..f054e30cbfb0 100644
> --- a/drivers/media/platform/synopsys/hdmirx/snps_hdmirx.c
> +++ b/drivers/media/platform/synopsys/hdmirx/snps_hdmirx.c
> @@ -717,7 +717,7 @@ static int hdmirx_get_edid(struct file *file, void *fh, struct v4l2_edid *edid)
> if (edid->start_block >= hdmirx_dev->edid_blocks_written || !edid->blocks)
> return -EINVAL;
>
> - if (edid->start_block + edid->blocks > hdmirx_dev->edid_blocks_written)
> + if (size_add(edid->start_block, edid->blocks) > hdmirx_dev->edid_blocks_written)
> edid->blocks = hdmirx_dev->edid_blocks_written - edid->start_block;
>
> memcpy(edid->edid, hdmirx_dev->edid, edid->blocks * EDID_BLOCK_SIZE);
Acked-by: Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx>
--
Best regards,
Dmitry