Skip to content

Commit

Permalink
UPSTREAM: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gc…
Browse files Browse the repository at this point in the history 
…u_write

[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]

In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of
type int.  Then, copy_from_user() may cause a heap overflow because it is used
as the third argument of copy_from_user().

Bug: 245928838
Signed-off-by: Hyunwoo Kim <[email protected]>
Signed-off-by: Helge Deller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Change-Id: I9e21917a52e2cb78cc640a77a6eba21838aa8655
  • Loading branch information
@V4bel
V4bel authored and Treehugger Robot committed Nov 10, 2022
1 parent 52e7aa3 commit 55a2910
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/video/fbdev/pxa3xx-gcu.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -381,7 +381,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff,
struct pxa3xx_gcu_batch *buffer;
struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);

int words = count / 4;
size_t words = count / 4;

/* Does not need to be atomic. There's a lock in user space,
* but anyhow, this is just for statistics. */
Expand Down

0 comments on commit 55a2910

Please sign in to comment.