From: "Ronald S. Bultje" <R.S.Bultje@students.uu.nl>

Attached patch fixes a potential integer overflow in zoran_procs.c (part of
the zr36067 driver).  Bug was detected by Ken Ashcraft with the Stanford
checker.


---

 /dev/null                                  |    0 
 25-akpm/drivers/media/video/zoran_procfs.c |    4 ++++
 2 files changed, 4 insertions(+)

diff -puN drivers/media/video/zoran_procfs.c~zoran-overflow-fix drivers/media/video/zoran_procfs.c
--- 25/drivers/media/video/zoran_procfs.c~zoran-overflow-fix	2004-04-07 19:08:35.193476480 -0700
+++ 25-akpm/drivers/media/video/zoran_procfs.c	2004-04-07 19:08:35.196476024 -0700
@@ -204,6 +204,10 @@ zoran_write_proc (struct file   *file,
 	char *line, *ldelim, *varname, *svar, *tdelim;
 	struct zoran *zr;
 
+	/* Random maximum */
+	if (count > 256)
+		return -EINVAL;
+
 	zr = (struct zoran *) data;
 
 	string = sp = vmalloc(count + 1);
diff -L drivers/media/video/zoran_procfs.c-old -puN /dev/null /dev/null

_