git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Feng Ning <feng@innora.ai>
	Sun, 12 Apr 2026 00:05:08 +0000 (00:05 +0000)
committer	Sakari Ailus <sakari.ailus@linux.intel.com>
	Wed, 20 May 2026 10:21:40 +0000 (13:21 +0300)
commit	d178c7ca8fefc28115d35b94c3b1f4d653e34182
tree	31b2857aa4f9dc663ed5af2e2d6d0933e0df1881	tree \| snapshot
parent	7222dc8751e0c1a179acd6f8a2c664a7f16081b1	commit \| diff

staging: media: atomisp: use array3_size() for overflow-safe allocation

Replace open-coded width * height * sizeof() multiplications with
array3_size() to prevent integer overflow in buffer allocations.

The atomisp driver computes DVS, morphing table, shading table and
statistics buffer sizes using unchecked arithmetic. When dimensions
are attacker-controlled or simply large, the product can silently wrap,
causing kvmalloc() to allocate an undersized buffer.

array3_size() saturates to SIZE_MAX on overflow, so kvmalloc() returns
NULL instead of succeeding with too few bytes.

Signed-off-by: Feng Ning <feng@innora.ai>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>

drivers/staging/media/atomisp/pci/sh_css_param_dvs.c		diff \| blob \| blame \| history
drivers/staging/media/atomisp/pci/sh_css_param_shading.c		diff \| blob \| blame \| history
drivers/staging/media/atomisp/pci/sh_css_params.c		diff \| blob \| blame \| history