[PATCH v1 2/4] staging: atomisp: prevent integer overflow in sh_css_params DVS allocation

[Siho Lee]

Same integer overflow pattern as the previous commit, in the same file
where CVE-2022-50399 was fixed (line 954) but these four locations
(lines 4481, 4486, 4491, 4497) were missed.

Fixes: a49d25364dfb ("staging/atomisp: add support for DVS")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Siho Lee <25esihoya@xxxxxxxxx>
---
 drivers/staging/media/atomisp/pci/sh_css_params.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c
b/drivers/staging/media/atomisp/pci/sh_css_params.c
index fcebace11..52ac15df1 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
+++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
@@ -4478,23 +4478,23 @@ ia_css_dvs2_6axis_config_allocate(const struct
ia_css_stream *stream)
 				    params->pipe_dvs_6axis_config[IA_CSS_PIPE_ID_VIDEO]->height_uv;
 	IA_CSS_LOG("table Y: W %d H %d", width_y, height_y);
 	IA_CSS_LOG("table UV: W %d H %d", width_uv, height_uv);
-	dvs_config->xcoords_y = kvmalloc(width_y * height_y * sizeof(uint32_t),
+	dvs_config->xcoords_y = kvmalloc(array3_size(width_y, height_y,
sizeof(uint32_t)),
 					 GFP_KERNEL);
 	if (!dvs_config->xcoords_y)
 		goto err;

-	dvs_config->ycoords_y = kvmalloc(width_y * height_y * sizeof(uint32_t),
+	dvs_config->ycoords_y = kvmalloc(array3_size(width_y, height_y,
sizeof(uint32_t)),
 					 GFP_KERNEL);
 	if (!dvs_config->ycoords_y)
 		goto err;

-	dvs_config->xcoords_uv = kvmalloc(width_uv * height_uv *
+	dvs_config->xcoords_uv = kvmalloc(array3_size(width_uv, height_uv,
 					  sizeof(uint32_t),
 					  GFP_KERNEL);
 	if (!dvs_config->xcoords_uv)
 		goto err;

-	dvs_config->ycoords_uv = kvmalloc(width_uv * height_uv *
+	dvs_config->ycoords_uv = kvmalloc(array3_size(width_uv, height_uv,
 					  sizeof(uint32_t),
 					  GFP_KERNEL);
 	if (!dvs_config->ycoords_uv)
-- 
2.43.0