From patchwork Thu Sep 23 17:43:41 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pete Eberlein X-Patchwork-Id: 202542 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o8NHp3BL019382 for ; Thu, 23 Sep 2010 17:51:03 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755975Ab0IWRuZ (ORCPT ); Thu, 23 Sep 2010 13:50:25 -0400 Received: from gateway05.websitewelcome.com ([67.18.144.2]:50500 "HELO gateway05.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1755967Ab0IWRuX (ORCPT ); Thu, 23 Sep 2010 13:50:23 -0400 X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]); Thu, 23 Sep 2010 17:51:03 +0000 (UTC) X-Greylist: delayed 399 seconds by postgrey-1.27 at vger.kernel.org; Thu, 23 Sep 2010 13:50:23 EDT Received: (qmail 28604 invoked from network); 23 Sep 2010 17:43:43 -0000 Received: from gator886.hostgator.com (174.120.40.226) by gateway05.websitewelcome.com with SMTP; 23 Sep 2010 17:43:43 -0000 Received: from [66.15.212.169] (port=14207 helo=[10.140.5.17]) by gator886.hostgator.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1OyppX-0000yH-T1 for linux-media@vger.kernel.org; Thu, 23 Sep 2010 12:43:36 -0500 Subject: [PATCH] go7007: MJPEG buffer overflow From: Pete Eberlein To: "linux-media@vger.kernel.org" Date: Thu, 23 Sep 2010 10:43:41 -0700 Message-ID: <1285263821.2456.36.camel@pete-desktop> Mime-Version: 1.0 X-Mailer: Evolution 2.28.1 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator886.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - sensoray.com Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org diff --git a/drivers/staging/go7007/go7007-driver.c b/drivers/staging/go7007/go7007-driver.c index 372a7c6..34d21e2 100644 --- a/drivers/staging/go7007/go7007-driver.c +++ b/drivers/staging/go7007/go7007-driver.c @@ -393,7 +393,8 @@ static void write_bitmap_word(struct go7007 *go) for (i = 0; i < 16; ++i) { y = (((go->parse_length - 1) << 3) + i) / (go->width >> 4); x = (((go->parse_length - 1) << 3) + i) % (go->width >> 4); - go->active_map[stride * y + (x >> 3)] |= + if (stride * y + (x >> 3) < sizeof(go->active_map)) + go->active_map[stride * y + (x >> 3)] |= (go->modet_word & 1) << (x & 0x7); go->modet_word >>= 1; } @@ -485,6 +486,15 @@ void go7007_parse_video_stream(struct go7007 *go, u8 *buf, int length) } break; case STATE_00_00_01: + if (buf[i] == 0xF8 && go->modet_enable == 0) { + /* MODET start code, but MODET not enabled */ + store_byte(go->active_buf, 0x00); + store_byte(go->active_buf, 0x00); + store_byte(go->active_buf, 0x01); + store_byte(go->active_buf, 0xF8); + go->state = STATE_DATA; + break; + } /* If this is the start of a new MPEG frame, * get a new buffer */ if ((go->format == GO7007_FORMAT_MPEG1 ||