From: Benoit Sevens <bsevens@xxxxxxxxxx>
commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream.
This can lead to out of bounds writes since frames of this type were not
taken into account when calculating the size of the frames buffer in
uvc_parse_streaming.
Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
Signed-off-by: Benoit Sevens <bsevens@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Acked-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Reviewed-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
Signed-off-by: Hans Verkuil <hverkuil@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/media/usb/uvc/uvc_driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -575,7 +575,7 @@ static int uvc_parse_format(struct uvc_d
/* Parse the frame descriptors. Only uncompressed, MJPEG and frame
* based formats have frame descriptors.
*/
- while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
+ while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
buffer[2] == ftype) {
frame = &format->frame[format->nframes];
if (ftype != UVC_VS_FRAME_FRAME_BASED)
Patches currently in stable-queue which might be from bsevens@xxxxxxxxxx are
queue-4.19/hid-core-zero-initialize-the-report-buffer.patch
queue-4.19/media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch
