zr364xx: enforce minimum size when reading header

commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream. This code copies actual_length-128 bytes from the header, which will underflow if the received buffer is too small. Signed-off-by: Alyssa Milburn <amilburn@zall.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Alyssa Milburn <amilburn@zall.org> 2017-04-01 20:34:08 +0300
committer: Ben Hutchings <ben@decadent.org.uk> 2017-08-26 04:14:00 +0300
commit: e674844ad3a2c336e23005a82354db5b9b2f4773 (patch)
tree: 79faf25f390e0cfda3547d8136119eb10ce92f26 /drivers
parent: 1a4b6a9aa3a892f819acf68d1a61765ec4dfc10d (diff)
download: linux-e674844ad3a2c336e23005a82354db5b9b2f4773.tar.xz
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/media/video/zr364xx.c b/drivers/media/video/zr364xx.c
index e78cf94f491e..ed3f740a20d4 100644
--- a/drivers/media/video/zr364xx.c
+++ b/drivers/media/video/zr364xx.c
@@ -611,6 +611,14 @@ static int zr364xx_read_video_callback(struct zr364xx_camera *cam,
 	ptr = pdest = frm->lpvbits;
 
 	if (frm->ulState == ZR364XX_READ_IDLE) {
+		if (purb->actual_length < 128) {
+			/* header incomplete */
+			dev_info(&cam->udev->dev,
+				 "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
+				 __func__, purb->actual_length);
+			return -EINVAL;
+		}
+
 		frm->ulState = ZR364XX_READ_FRAME;
 		frm->cur_size = 0;
author	Alyssa Milburn <amilburn@zall.org>	2017-04-01 20:34:08 +0300
committer	Ben Hutchings <ben@decadent.org.uk>	2017-08-26 04:14:00 +0300
commit	e674844ad3a2c336e23005a82354db5b9b2f4773 (patch)
tree	79faf25f390e0cfda3547d8136119eb10ce92f26 /drivers
parent	1a4b6a9aa3a892f819acf68d1a61765ec4dfc10d (diff)
download	linux-e674844ad3a2c336e23005a82354db5b9b2f4773.tar.xz