media: vivid: potential integer overflow in vidioc_g_edid()

If we pick a very large "edid->blocks" value then the "edid->start_block
+ edid->blocks" addition could wrap around.

Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

diff --git a/drivers/media/platform/vivid/vivid-vid-common.c b/drivers/media/platform/vivid/vivid-vid-common.c
index e5914be0e12dcbec8318088cb85f75111c132f90..be531caa2cdf9e5f4d9f1213e7f8e4e524848b80 100644 (file)
--- a/drivers/media/platform/vivid/vivid-vid-common.c
+++ b/drivers/media/platform/vivid/vivid-vid-common.c
@@ -860,7 +860,7 @@ int vidioc_g_edid(struct file *file, void *_fh,
                return -ENODATA;
        if (edid->start_block >= dev->edid_blocks)
                return -EINVAL;
-       if (edid->start_block + edid->blocks > dev->edid_blocks)
+       if (edid->blocks > dev->edid_blocks - edid->start_block)
                edid->blocks = dev->edid_blocks - edid->start_block;
        if (adap)
                cec_set_edid_phys_addr(dev->edid, dev->edid_blocks * 128, adap->phys_addr);