Validate V4L2 plane data_offset values. We need to make sure the size of
the image we're encoding does not exceed the size of the buffer minus
its offset.
Signed-off-by: Justin Green <greenjustin@xxxxxxxxxx>
---
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
index bc5b0a0168ec..8f5c1b9937bc 100644
--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
@@ -687,6 +687,10 @@ static int mtk_jpeg_buf_prepare(struct vb2_buffer *vb)
for (i = 0; i < q_data->fmt->colplanes; i++) {
plane_fmt = q_data->pix_mp.plane_fmt[i];
+ if (vb->planes[i].data_offset > vb2_plane_size(vb, i) ||
+ vb2_plane_size(vb, i) - vb->planes[i].data_offset
+ < plane_fmt.sizeimage)
+ return -EINVAL;
if (ctx->enable_exif &&
q_data->fmt->fourcc == V4L2_PIX_FMT_JPEG)
vb2_set_plane_payload(vb, i, plane_fmt.sizeimage +
--
2.37.0.rc0.104.g0611611a94-goog
