On Mon, Apr 12, 2004 at 10:02:37PM +0000, Linux Kernel wrote:
> ChangeSet 1.2126, 2004/04/12 15:02:37-07:00, [email protected]
>
> [PATCH] fix for potential integer overflow in zoran driver
>
> From: "Ronald S. Bultje" <[email protected]>
>
> Attached patch fixes a potential integer overflow in zoran_procs.c (part of
> the zr36067 driver). Bug was detected by Ken Ashcraft with the Stanford
> checker.
>
> --- a/drivers/media/video/zoran_procfs.c Tue Apr 13 14:07:59 2004
> +++ b/drivers/media/video/zoran_procfs.c Tue Apr 13 14:07:59 2004
> @@ -204,6 +204,10 @@
> char *line, *ldelim, *varname, *svar, *tdelim;
> struct zoran *zr;
>
> + /* Random maximum */
> + if (count > 256)
> + return -EINVAL;
> +
> zr = (struct zoran *) data;
>
> string = sp = vmalloc(count + 1);
2.4 already had this fixed, but uses a somewhat larger value to clip at.
For uniformity sake, perhaps they should be the same ?
Patch below makes it match 2.4-bk
Dave
--- bk-linus/drivers/media/video/zoran_procfs.c~ 2004-04-13 22:15:35.000000000 +0100
+++ bk-linus/drivers/media/video/zoran_procfs.c 2004-04-13 22:15:58.000000000 +0100
@@ -204,8 +204,7 @@
char *line, *ldelim, *varname, *svar, *tdelim;
struct zoran *zr;
- /* Random maximum */
- if (count > 256)
+ if (count > 32768) /* Stupidity filter */
return -EINVAL;
zr = (struct zoran *) data;