On 23/06/2022 21:14, Justin Green wrote:
> Validate V4L2 plane data_offset values. We need to make sure the size of
> the image we're encoding does not exceed the size of the buffer minus
> its offset.
>
> Signed-off-by: Justin Green <greenjustin@xxxxxxxxxx>
> ---
> drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> index bc5b0a0168ec..8f5c1b9937bc 100644
> --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> @@ -687,6 +687,10 @@ static int mtk_jpeg_buf_prepare(struct vb2_buffer *vb)
>
> for (i = 0; i < q_data->fmt->colplanes; i++) {
> plane_fmt = q_data->pix_mp.plane_fmt[i];
> + if (vb->planes[i].data_offset > vb2_plane_size(vb, i) ||
> + vb2_plane_size(vb, i) - vb->planes[i].data_offset
> + < plane_fmt.sizeimage)
Is this correct? AFAICS this function is used for both buffers containing the
raw image (and it is correct in that case) and for buffers containing the
compressed JPEG data. But in the latter case sizeimage is the worst-case
image size, the actual data can be (and almost certainly is) less than that
and this function returns an error when it shouldn't.
Or did I miss something?
In any case: this needs to be tested on actual hardware for both encoder
and decoder. A Tested-by tag would be very welcome.
Regards,
Hans
> + return -EINVAL;
> if (ctx->enable_exif &&
> q_data->fmt->fourcc == V4L2_PIX_FMT_JPEG)
> vb2_set_plane_payload(vb, i, plane_fmt.sizeimage +
