From: Kirill A. Korinsky <kirill@korins.ky>
Subject: sys/uvideo: never try to allocate more than MALLOC_MAX
To: OpenBSD tech <tech@openbsd.org>
Cc: Marcus Glocker <mglocker@openbsd.org>
Date: Mon, 24 Feb 2025 21:12:02 +0100

tech@,

here a diff which limits a possible amount of allocated memory by no
more than MALLOC_MAX instead of SIZE_MAX.

UVIDEO_MAX_BUFFERS is hardcoded as 8 and if dwMaxVideoFrameSize and it
will crash on malloc if device returns dwMaxVideoFrameSize more than 32mb

Ok?

Index: sys/dev/usb/uvideo.c
===================================================================
RCS file: /home/cvs/src/sys/dev/usb/uvideo.c,v
diff -u -p -r1.241 uvideo.c
--- sys/dev/usb/uvideo.c	24 Feb 2025 12:43:29 -0000	1.241
+++ sys/dev/usb/uvideo.c	24 Feb 2025 20:06:57 -0000
@@ -3386,13 +3386,13 @@ uvideo_reqbufs(void *v, struct v4l2_requ

 	/* allocate the total mmap buffer */
 	buf_size = UGETDW(sc->sc_desc_probe.dwMaxVideoFrameSize);
-	if (buf_size >= SIZE_MAX / UVIDEO_MAX_BUFFERS) {
+	buf_size_total = sc->sc_mmap_count * buf_size;
+	buf_size_total = round_page(buf_size_total); /* page align buffer */
+	if (buf_size >= MALLOC_MAX) {
 		printf("%s: video frame size too large!\n", DEVNAME(sc));
 		sc->sc_mmap_count = 0;
 		return (EINVAL);
 	}
-	buf_size_total = sc->sc_mmap_count * buf_size;
-	buf_size_total = round_page(buf_size_total); /* page align buffer */
 	sc->sc_mmap_buffer = malloc(buf_size_total, M_USBDEV, M_NOWAIT);
 	if (sc->sc_mmap_buffer == NULL) {
 		printf("%s: can't allocate mmap buffer!\n", DEVNAME(sc));