This is a note to let you know that I've just added the patch titled media: vcodec: Fix potential array out-of-bounds in encoder queue_setup to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From e7f2e65699e2290fd547ec12a17008764e5d9620 Mon Sep 17 00:00:00 2001 From: Wei Chen <harperchen1110@xxxxxxxxx> Date: Thu, 10 Aug 2023 08:23:33 +0000 Subject: media: vcodec: Fix potential array out-of-bounds in encoder queue_setup From: Wei Chen <harperchen1110@xxxxxxxxx> commit e7f2e65699e2290fd547ec12a17008764e5d9620 upstream. variable *nplanes is provided by user via system call argument. The possible value of q_data->fmt->num_planes is 1-3, while the value of *nplanes can be 1-8. The array access by index i can cause array out-of-bounds. Fix this bug by checking *nplanes against the array size. Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") Signed-off-by: Wei Chen <harperchen1110@xxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Chen-Yu Tsai <wenst@xxxxxxxxxxxx> Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c +++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c @@ -729,6 +729,8 @@ static int vb2ops_venc_queue_setup(struc return -EINVAL; if (*nplanes) { + if (*nplanes != q_data->fmt->num_planes) + return -EINVAL; for (i = 0; i < *nplanes; i++) if (sizes[i] < q_data->sizeimage[i]) return -EINVAL; Patches currently in stable-queue which might be from harperchen1110@xxxxxxxxx are queue-5.10/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch