Just like for ISOC, validate the decoded BULK buffer size when possible.
This avoids sending corrupted or partial buffers to userspace, which may
lead to application crash or run-time failure.
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@xxxxxxxxxxxxx>
---
drivers/media/usb/uvc/uvc_video.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index aa0082fe5833..46df4d01e31b 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -1307,8 +1307,10 @@ static void uvc_video_decode_bulk(struct urb *urb, struct uvc_streaming *stream,
if (stream->bulk.header_size == 0 && !stream->bulk.skip_payload) {
do {
ret = uvc_video_decode_start(stream, buf, mem, len);
- if (ret == -EAGAIN)
+ if (ret == -EAGAIN) {
+ uvc_video_validate_buffer(stream, buf);
uvc_video_next_buffers(stream, &buf, &meta_buf);
+ }
} while (ret == -EAGAIN);
/* If an error occurred skip the rest of the payload. */
@@ -1342,8 +1344,10 @@ static void uvc_video_decode_bulk(struct urb *urb, struct uvc_streaming *stream,
if (!stream->bulk.skip_payload && buf != NULL) {
uvc_video_decode_end(stream, buf, stream->bulk.header,
stream->bulk.payload_size);
- if (buf->state == UVC_BUF_STATE_READY)
+ if (buf->state == UVC_BUF_STATE_READY) {
+ uvc_video_validate_buffer(stream, buf);
uvc_video_next_buffers(stream, &buf, &meta_buf);
+ }
}
stream->bulk.header_size = 0;
--
2.17.1
