On Mon, 24 Feb 2025 21:12:02 +0100,
Kirill A. Korinsky <kirill@korins.ky> wrote:
> 
> tech@,
> 
> here a diff which limits a possible amount of allocated memory by no
> more than MALLOC_MAX instead of SIZE_MAX.
> 
> UVIDEO_MAX_BUFFERS is hardcoded as 8 and if dwMaxVideoFrameSize and it
> will crash on malloc if device returns dwMaxVideoFrameSize more than 32mb
>

Oops, I forgot to update inlined file, here a version with fixed typo.

Ok?

sys/uvideo: never try to allocate more than MALLOC_MAX

tech@,

here a diff which limits a possible amount of allocated memory by no
more than MALLOC_MAX instead of SIZE_MAX.

UVIDEO_MAX_BUFFERS is hardcoded as 8 and if dwMaxVideoFrameSize and it
will crash on malloc if device returns dwMaxVideoFrameSize more than 32mb

Ok?

Index: sys/dev/usb/uvideo.c
===================================================================
RCS file: /home/cvs/src/sys/dev/usb/uvideo.c,v
diff -u -p -r1.241 uvideo.c
--- sys/dev/usb/uvideo.c	24 Feb 2025 12:43:29 -0000	1.241
+++ sys/dev/usb/uvideo.c	24 Feb 2025 20:15:58 -0000
@@ -3386,13 +3386,13 @@ uvideo_reqbufs(void *v, struct v4l2_requ
 
 	/* allocate the total mmap buffer */	
 	buf_size = UGETDW(sc->sc_desc_probe.dwMaxVideoFrameSize);
-	if (buf_size >= SIZE_MAX / UVIDEO_MAX_BUFFERS) {
+	buf_size_total = sc->sc_mmap_count * buf_size;
+	buf_size_total = round_page(buf_size_total); /* page align buffer */
+	if (buf_size_total >= MALLOC_MAX) {
 		printf("%s: video frame size too large!\n", DEVNAME(sc));
 		sc->sc_mmap_count = 0;
 		return (EINVAL);
 	}
-	buf_size_total = sc->sc_mmap_count * buf_size;
-	buf_size_total = round_page(buf_size_total); /* page align buffer */
 	sc->sc_mmap_buffer = malloc(buf_size_total, M_USBDEV, M_NOWAIT);
 	if (sc->sc_mmap_buffer == NULL) {
 		printf("%s: can't allocate mmap buffer!\n", DEVNAME(sc));