releases/3.18.85/media-rc-check-for-integer-overflow.patch

   1 From 3e45067f94bbd61dec0619b1c32744eb0de480c8 Mon Sep 17 00:00:00 2001
   2 From: Sean Young <sean@mess.org>
   3 Date: Sun, 8 Oct 2017 14:18:52 -0400
   4 Subject: media: rc: check for integer overflow
   5
   6 From: Sean Young <sean@mess.org>
   7
   8 commit 3e45067f94bbd61dec0619b1c32744eb0de480c8 upstream.
   9
  10 The ioctl LIRC_SET_REC_TIMEOUT would set a timeout of 704ns if called
  11 with a timeout of 4294968us.
  12
  13 Signed-off-by: Sean Young <sean@mess.org>
  14 Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
  15 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  16
  17 ---
  18  drivers/media/rc/ir-lirc-codec.c |    9 ++++++---
  19  1 file changed, 6 insertions(+), 3 deletions(-)
  20
  21 --- a/drivers/media/rc/ir-lirc-codec.c
  22 +++ b/drivers/media/rc/ir-lirc-codec.c
  23 @@ -289,11 +289,14 @@ static long ir_lirc_ioctl(struct file *f
  24                 if (!dev->max_timeout)
  25                         return -ENOSYS;
  26
  27 +               /* Check for multiply overflow */
  28 +               if (val > U32_MAX / 1000)
  29 +                       return -EINVAL;
  30 +
  31                 tmp = val * 1000;
  32
  33 -               if (tmp < dev->min_timeout ||
  34 -                   tmp > dev->max_timeout)
  35 -                               return -EINVAL;
  36 +               if (tmp < dev->min_timeout || tmp > dev->max_timeout)
  37 +                       return -EINVAL;
  38
  39                 dev->timeout = tmp;
  40                 break;