On Wed, Sep 07, 2022 at 07:55:44PM +0100, Gustavo A. R. Silva wrote:
> In preparation for FORTIFY_SOURCE performing run-time destination buffer
> bounds checking for memcpy(), specify the destination output buffer
> explicitly, instead of asking memcpy() to write past the end of what looked
> like a fixed-size object.
>
> Notice that raw_frame is a pointer to a structure that contains
> flexible-array member rawframe[]:
>
> drivers/media/usb/pwc/pwc.h:
> 190 struct pwc_raw_frame {
> 191 __le16 type; /* type of the webcam */
> 192 __le16 vbandlength; /* Size of 4 lines compressed (used by the
> 193 decompressor) */
> 194 __u8 cmd[4]; /* the four byte of the command (in case of
> 195 nala, only the first 3 bytes is filled) */
> 196 __u8 rawframe[]; /* frame_size = H / 4 * vbandlength */
> 197 } __packed;
>
> Link: https://github.com/KSPP/linux/issues/200
> Signed-off-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
Thanks! Yeah, this looks very similar to other transformations like
this. And this one even had the flex array already! :)
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
--
Kees Cook
