| Message ID | 20241107142204.1182969-2-bsevens@google.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Skip parsing frames of type UVC_VS_UNDEFINED in | expand |
On Thu, Nov 07, 2024 at 02:22:02PM +0000, Benoit Sevens wrote: > This can lead to out of bounds writes since frames of this type were not > taken into account when calculating the size of the frames buffer in > uvc_parse_streaming. > > Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") > Signed-off-by: Benoit Sevens <bsevens@google.com> Cc: stable <stable@kernel.org> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hi Benoît, Thank you for the patch. On Thu, Nov 07, 2024 at 02:22:02PM +0000, Benoit Sevens wrote: > This can lead to out of bounds writes since frames of this type were not > taken into account when calculating the size of the frames buffer in > uvc_parse_streaming. > > Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") > Signed-off-by: Benoit Sevens <bsevens@google.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > --- > drivers/media/usb/uvc/uvc_driver.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c > index 0fac689c6350..13db0026dc1a 100644 > --- a/drivers/media/usb/uvc/uvc_driver.c > +++ b/drivers/media/usb/uvc/uvc_driver.c > @@ -371,7 +371,7 @@ static int uvc_parse_format(struct uvc_device *dev, > * Parse the frame descriptors. Only uncompressed, MJPEG and frame > * based formats have frame descriptors. > */ > - while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && > + while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && > buffer[2] == ftype) { > unsigned int maxIntervalIndex; >
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 0fac689c6350..13db0026dc1a 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -371,7 +371,7 @@ static int uvc_parse_format(struct uvc_device *dev, * Parse the frame descriptors. Only uncompressed, MJPEG and frame * based formats have frame descriptors. */ - while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && + while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && buffer[2] == ftype) { unsigned int maxIntervalIndex;
This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming. Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") Signed-off-by: Benoit Sevens <bsevens@google.com> --- drivers/media/usb/uvc/uvc_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)