| Message ID | 20241107142204.1182969-2-bsevens@google.com |
|---|---|
| State | Accepted |
| Commit | ecf2b43018da9579842c774b7f35dbe11b5c38dd |
| Headers | show |
| Series | Skip parsing frames of type UVC_VS_UNDEFINED in | expand |
On Thu, Nov 07, 2024 at 05:04:32PM +0200, Laurent Pinchart wrote: > Hi BenoƮt, > > Thank you for the patch. > > On Thu, Nov 07, 2024 at 02:22:02PM +0000, Benoit Sevens wrote: > > This can lead to out of bounds writes since frames of this type were not > > taken into account when calculating the size of the frames buffer in > > uvc_parse_streaming. > > > > Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") > > Signed-off-by: Benoit Sevens <bsevens@google.com> > > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Mauro, Hans, could you pick this as a fix for v6.12 ? > > --- > > drivers/media/usb/uvc/uvc_driver.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c > > index 0fac689c6350..13db0026dc1a 100644 > > --- a/drivers/media/usb/uvc/uvc_driver.c > > +++ b/drivers/media/usb/uvc/uvc_driver.c > > @@ -371,7 +371,7 @@ static int uvc_parse_format(struct uvc_device *dev, > > * Parse the frame descriptors. Only uncompressed, MJPEG and frame > > * based formats have frame descriptors. > > */ > > - while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && > > + while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && > > buffer[2] == ftype) { > > unsigned int maxIntervalIndex; > >
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 0fac689c6350..13db0026dc1a 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -371,7 +371,7 @@ static int uvc_parse_format(struct uvc_device *dev, * Parse the frame descriptors. Only uncompressed, MJPEG and frame * based formats have frame descriptors. */ - while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && + while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && buffer[2] == ftype) { unsigned int maxIntervalIndex;
This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming. Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") Signed-off-by: Benoit Sevens <bsevens@google.com> --- drivers/media/usb/uvc/uvc_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)