media: vicodec: ensure comp frame pointer kept in range

Make sure that the pointer to the compressed frame does not get out of the buffer. Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
author: Dafna Hirschfeld <dafna3@gmail.com> 2019-01-24 07:51:08 -0200
committer: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> 2019-01-26 09:10:26 -0200
commit: f863f222b49a9c7a6cfcc72f1ac74ab14c7a7258 (patch)
tree: f759e369b2448a8c499486f4faf396ff2e1f320c /drivers/media/platform/vicodec/vicodec-core.c
parent: 3b15f68e19c28a76d175f61943a8c23224afce93 (diff)
download: linux-f863f222b49a9c7a6cfcc72f1ac74ab14c7a7258.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
index 454476a9f659..28c3a3d57783 100644
--- a/drivers/media/platform/vicodec/vicodec-core.c
+++ b/drivers/media/platform/vicodec/vicodec-core.c
@@ -186,6 +186,10 @@ static int device_process(struct vicodec_ctx *ctx,
 			return ret;
 		vb2_set_plane_payload(&dst_vb->vb2_buf, 0, ret);
 	} else {
+		unsigned int comp_frame_size = ntohl(ctx->state.header.size);
+
+		if (comp_frame_size > ctx->comp_max_size)
+			return -EINVAL;
 		state->info = q_dst->info;
 		ret = v4l2_fwht_decode(state, p_src, p_dst);
 		if (ret < 0)
author	Dafna Hirschfeld <dafna3@gmail.com>	2019-01-24 07:51:08 -0200
committer	Mauro Carvalho Chehab <mchehab+samsung@kernel.org>	2019-01-26 09:10:26 -0200
commit	f863f222b49a9c7a6cfcc72f1ac74ab14c7a7258 (patch)
tree	f759e369b2448a8c499486f4faf396ff2e1f320c /drivers/media/platform/vicodec/vicodec-core.c
parent	3b15f68e19c28a76d175f61943a8c23224afce93 (diff)
download	linux-f863f222b49a9c7a6cfcc72f1ac74ab14c7a7258.tar.bz2