panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL on error. Then it could bypass the sanity check (num_sifr > 255). The subsequent call to kzalloc() would allocate a small buffer, leading to a memory corruption. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Matthew Garrett <mjg@redhat.com>
Loading
Please register or sign in to comment