zr364xx: enforce minimum size when reading header

BugLink: http://bugs.launchpad.net/bugs/1694621 commit ee0fe833 upstream. This code copies actual_length-128 bytes from the header, which will underflow if the received buffer is too small. Signed-off-by: Alyssa Milburn <amilburn@zall.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

zr364xx: enforce minimum size when reading header
BugLink: http://bugs.launchpad.net/bugs/1694621 commit ee0fe833 upstream. This code copies actual_length-128 bytes from the header, which will underflow if the received buffer is too small. Signed-off-by: Alyssa Milburn <amilburn@zall.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
82d9a00d · Alyssa Milburn · Kleber Sacilotto de Souza · 5fbe3658 · 82d9a00d
Commit 82d9a00d authored Apr 01, 2017 by Alyssa Milburn Committed by Kleber Sacilotto de Souza Jun 20, 2017
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

drivers/media/usb/zr364xx/zr364xx.c drivers/media/usb/zr364xx/zr364xx.c +8 -0

No files found.
--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -604,6 +604,14 @@ static int zr364xx_read_video_callback(struct zr364xx_camera *cam,
 	ptr = pdest = frm->lpvbits;
 	if (frm->ulState == ZR364XX_READ_IDLE) {
+		if (purb->actual_length < 128) {
+			/* header incomplete */
+			dev_info(&cam->udev->dev,
+				 "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
+				 __func__, purb->actual_length);
+			return -EINVAL;
+		}
 		frm->ulState = ZR364XX_READ_FRAME;
 		frm->cur_size = 0;