iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

zr364xx: enforce minimum size when reading header

Browse Source 
commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream.

This code copies actual_length-128 bytes from the header, which will
underflow if the received buffer is too small.

Signed-off-by: Alyssa Milburn <amilburn@zall.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Alyssa Milburn 2017-04-01 14:34:08 -03:00 committed by Greg Kroah-Hartman
parent 466b45af50
commit 64579fcc57
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/media/usb/zr364xx/zr364xx.c
View File

@ -604,6 +604,14 @@ static int zr364xx_read_video_callback(struct zr364xx_camera *cam,
ptr = pdest = frm->lpvbits;
if (frm->ulState == ZR364XX_READ_IDLE) {
if (purb->actual_length < 128) {
/* header incomplete */
dev_info(&cam->udev->dev,
"%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
__func__, purb->actual_length);
return -EINVAL;
}
frm->ulState = ZR364XX_READ_FRAME;
frm->cur_size = 0;