media: atomisp: prevent integer overflow in sh_css_set_black_frame()

[ Upstream commit 3ad290194bb06979367622e47357462836c1d3b4 ]

The "height" and "width" values come from the user so the "height * width"
multiplication can overflow.

Link: https://lore.kernel.org/r/YxBBCRnm3mmvaiuR@kili
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
index ccc0078..deecffd 100644 (file)
--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
+++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
@@ -962,8 +962,8 @@ sh_css_set_black_frame(struct ia_css_stream *stream,
                params->fpn_config.data = NULL;
        }
        if (!params->fpn_config.data) {
-               params->fpn_config.data = kvmalloc(height * width *
-                                                  sizeof(short), GFP_KERNEL);
+               params->fpn_config.data = kvmalloc(array3_size(height, width, sizeof(short)),
+                                                  GFP_KERNEL);
                if (!params->fpn_config.data) {
                        IA_CSS_ERROR("out of memory");
                        IA_CSS_LEAVE_ERR_PRIVATE(-ENOMEM);