media: venus: hfi_parser: add check to avoid out of bound access

There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the count so that it always starts from beginning. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
author: Vikash Garodia <quic_vgarodia@quicinc.com> 2025-02-20 20:20:08 +0300
committer: Hans Verkuil <hverkuil@xs4all.nl> 2025-03-03 20:21:54 +0300
commit: 172bf5a9ef70a399bb227809db78442dc01d9e48 (patch)
tree: edb4bfcd345a74876547a8a84986e98bd7c35a58
parent: d98e9213a768a3cc3a99f5e1abe09ad3baff2104 (diff)
download: linux-172bf5a9ef70a399bb227809db78442dc01d9e48.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c
index 3df241dc3a11..1425c69d9006 100644
--- a/drivers/media/platform/qcom/venus/hfi_parser.c
+++ b/drivers/media/platform/qcom/venus/hfi_parser.c
@@ -19,6 +19,8 @@ static void init_codecs(struct venus_core *core)
 	struct hfi_plat_caps *caps = core->caps, *cap;
 	unsigned long bit;
 
+	core->codecs_count = 0;
+
 	if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM)
 		return;
author	Vikash Garodia <quic_vgarodia@quicinc.com>	2025-02-20 20:20:08 +0300
committer	Hans Verkuil <hverkuil@xs4all.nl>	2025-03-03 20:21:54 +0300
commit	172bf5a9ef70a399bb227809db78442dc01d9e48 (patch)
tree	edb4bfcd345a74876547a8a84986e98bd7c35a58
parent	d98e9213a768a3cc3a99f5e1abe09ad3baff2104 (diff)
download	linux-172bf5a9ef70a399bb227809db78442dc01d9e48.tar.xz