summaryrefslogtreecommitdiffstats
path: root/drivers/media/platform/vicodec/vicodec-core.c
diff options
context:
space:
mode:
authorDafna Hirschfeld2019-01-24 10:51:08 +0100
committerMauro Carvalho Chehab2019-01-26 12:10:26 +0100
commitf863f222b49a9c7a6cfcc72f1ac74ab14c7a7258 (patch)
treef759e369b2448a8c499486f4faf396ff2e1f320c /drivers/media/platform/vicodec/vicodec-core.c
parentmedia: vicodec: Add support for resolution change event. (diff)
downloadkernel-qcow2-linux-f863f222b49a9c7a6cfcc72f1ac74ab14c7a7258.tar.gz
kernel-qcow2-linux-f863f222b49a9c7a6cfcc72f1ac74ab14c7a7258.tar.xz
kernel-qcow2-linux-f863f222b49a9c7a6cfcc72f1ac74ab14c7a7258.zip
media: vicodec: ensure comp frame pointer kept in range
Make sure that the pointer to the compressed frame does not get out of the buffer. Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'drivers/media/platform/vicodec/vicodec-core.c')
-rw-r--r--drivers/media/platform/vicodec/vicodec-core.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
index 454476a9f659..28c3a3d57783 100644
--- a/drivers/media/platform/vicodec/vicodec-core.c
+++ b/drivers/media/platform/vicodec/vicodec-core.c
@@ -186,6 +186,10 @@ static int device_process(struct vicodec_ctx *ctx,
return ret;
vb2_set_plane_payload(&dst_vb->vb2_buf, 0, ret);
} else {
+ unsigned int comp_frame_size = ntohl(ctx->state.header.size);
+
+ if (comp_frame_size > ctx->comp_max_size)
+ return -EINVAL;
state->info = q_dst->info;
ret = v4l2_fwht_decode(state, p_src, p_dst);
if (ret < 0)
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2024-07-01 13:33:40 +0200