summaryrefslogtreecommitdiff
path: root/drivers/media
diff options
context:
space:
mode:
authorChangming Liu <charley.ashbringer@gmail.com>2020-03-11 00:13:20 +0300
committerMauro Carvalho Chehab <mchehab+huawei@kernel.org>2020-03-12 18:26:15 +0300
commit3f870a450304427892cefbec7fbc76a553586278 (patch)
tree7af3965b1af3964fb283986d0aac1c4f87a6d4a5 /drivers/media
parent80264809ea0a3fd2ee8251f31a9eb85d2c3fc77e (diff)
downloadlinux-3f870a450304427892cefbec7fbc76a553586278.tar.xz
media: am437x-vpfe: exclude illegal values for enum when validing params from user space
When calling ccdc_data_size_max_bit() to validate data_sz in vpfe_ccdc_validate_param(), it's treated as an enumeration ranging from 0 to 7 while essentially it's an 32 bit unsigned integer directly from user space. This can make the return value of ccdc_data_size_max_bit() underflow and bypass the following check. To fix this, an additional check is added to the following if clause to keep this enumaration variable in range. And if its value is not legal, return -EINVAL properly. Signed-off-by: Changming Liu <charley.ashbringer@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Diffstat (limited to 'drivers/media')
-rw-r--r--drivers/media/platform/am437x/am437x-vpfe.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/media/platform/am437x/am437x-vpfe.c b/drivers/media/platform/am437x/am437x-vpfe.c
index e3f302bc2f96..e14a2933144b 100644
--- a/drivers/media/platform/am437x/am437x-vpfe.c
+++ b/drivers/media/platform/am437x/am437x-vpfe.c
@@ -285,6 +285,7 @@ vpfe_ccdc_validate_param(struct vpfe_ccdc *ccdc,
max_data = ccdc_data_size_max_bit(ccdcparam->data_sz);
if (ccdcparam->alaw.gamma_wd > VPFE_CCDC_GAMMA_BITS_09_0 ||
+ ccdcparam->data_sz > VPFE_CCDC_DATA_8BITS ||
max_gamma > max_data) {
vpfe_dbg(1, vpfe, "Invalid data line select\n");
return -EINVAL;