From: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
commit 82b696750f0b60e7513082a10ad42786854f59f8 upstream.
The length field of the CCS static data blocks was mishandled, leading to
wrong interpretation of the length header for blocks that are 16 kiB in
size. Such large blocks are very, very rare and so this wasn't found
earlier.
As the length is used as part of input validation, the issue has no
security implications.
Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/media/i2c/ccs/ccs-data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/ccs/ccs-data.c
+++ b/drivers/media/i2c/ccs/ccs-data.c
@@ -98,7 +98,7 @@ ccs_data_parse_length_specifier(const st
plen = ((size_t)
(__len3->length[0] &
((1 << CCS_DATA_LENGTH_SPECIFIER_SIZE_SHIFT) - 1))
- << 16) + (__len3->length[0] << 8) + __len3->length[1];
+ << 16) + (__len3->length[1] << 8) + __len3->length[2];
break;
}
default:
Patches currently in stable-queue which might be from sakari.ailus@xxxxxxxxxxxxxxx are
queue-5.15/media-camif-core-add-check-for-clk_enable.patch
queue-5.15/media-ccs-fix-ccs-static-data-parsing-for-large-block-sizes.patch
queue-5.15/media-ccs-clean-up-parsed-ccs-static-data-on-parse-failure.patch
queue-5.15/media-ov5640-fix-get_light_freq-on-auto.patch
queue-5.15/media-ccs-fix-cleanup-order-in-ccs_probe.patch
queue-5.15/media-marvell-add-check-for-clk_enable.patch
queue-5.15/media-i2c-ov9282-correct-the-exposure-offset.patch
queue-5.15/media-mc-fix-endpoint-iteration.patch
queue-5.15/media-mipi-csis-add-check-for-clk_enable.patch
queue-5.15/media-i2c-imx412-add-missing-newline-to-prints.patch
