Patch "media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-mediatek-vcodec-fix-potential-array-out-of-bou.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9367186965c27c9bcd97badfd8746a8e65a3ae83
Author: Wei Chen <harperchen1110@xxxxxxxxx>
Date:   Wed Mar 29 09:05:13 2023 +0100

    media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
    
    [ Upstream commit 8fbcf730cb89c3647f3365226fe7014118fa93c7 ]
    
    variable *nplanes is provided by user via system call argument. The
    possible value of q_data->fmt->num_planes is 1-3, while the value
    of *nplanes can be 1-8. The array access by index i can cause array
    out-of-bounds.
    
    Fix this bug by checking *nplanes against the array size.
    
    Signed-off-by: Wei Chen <harperchen1110@xxxxxxxxx>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
index c99705681a03e..93fcea821001f 100644
--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
+++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
@@ -735,6 +735,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers,
 	}
 
 	if (*nplanes) {
+		if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
+			if (*nplanes != q_data->fmt->num_planes)
+				return -EINVAL;
+		} else {
+			if (*nplanes != 1)
+				return -EINVAL;
+		}
 		for (i = 0; i < *nplanes; i++) {
 			if (sizes[i] < q_data->sizeimage[i])
 				return -EINVAL;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux