From patchwork Wed Oct 16 10:22:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 13838187 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 80CC6D1AD46 for ; Wed, 16 Oct 2024 10:37:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=OIxobL63+/xwD/Leoz3sNf0Q/2Pr7neEEEEprIxF8WM=; b=iYrkmXez/CS9aZh0RvN9yFTQeQ 0pjifv7w/fi7pR1t6KDHdWDzHwzZ1/cl3pvXIv7gU/45SkhS2UMLVsyoQrS6SefznVA39Fu9ninVb i6zpzIcRYsmomGLm3I8KUMhCt6TLTZAkFMtpIKCObRBeSxGAnwrndjB2y/ow3Z2HLWTN8akHF3xrS +UUKZBCHd59No0e0dVitOmL39kuElJwl6XRqFnWeP2b6eVEsqkE0tuiqIUqkqvdwnhIe4NH1aqpJr hoFPDkp+WVS96JReC1Zcsgx0FANAHggxGyyRZ5U9WFJ2LevduugvH+0u96f64X98qKzrbwBsBa83n jUqNVZEg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1t11PS-0000000BTnP-0FJW; Wed, 16 Oct 2024 10:37:42 +0000 Received: from nyc.source.kernel.org ([147.75.193.91]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1t11As-0000000BPwp-44A5 for linux-arm-kernel@lists.infradead.org; Wed, 16 Oct 2024 10:22:40 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 2DD5EA43CAF; Wed, 16 Oct 2024 10:22:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D1FBAC4CED1; Wed, 16 Oct 2024 10:22:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1729074157; bh=OwZ5oRre6Qvryx1HKm59rgRRdHOV74pHCRQsrCjAiZo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vRiOwBdOQnR56E9IFo6vSYnI0BAQADVHdAG+nZ55R50yOOJiOYxtPEO61tQWOONLr fC8QtBvHVTVp+1occ1ZxIjDqoTgF+/J0wB/d37FaWstaGML4TLH52bXR9RQioKWcam h8KiQuoy5fMKc1P/1xc6nz2ZYS3DCGufIrlh73lCR7X1WQSuWJQYQAOINtdT06uYV+ o6rzFAzbfbtFamw+NROgiSYqim+BvQtJEjXcM1Kcp51MlQzvs/cr4Cl69ee4kIC89J I8x9zvuDY41PchLrTph0FSAgOFmcPC0aoKU0QFat6bnByYy3NL2tYT/qeKuLw1TXTl zWxJZVm+VL38w== Received: from mchehab by mail.kernel.org with local (Exim 4.98) (envelope-from ) id 1t11Ap-00000004Ymp-2SnT; Wed, 16 Oct 2024 12:22:35 +0200 From: Mauro Carvalho Chehab To: Cc: Mauro Carvalho Chehab , Andrzej Pietrasiewicz , Hans Verkuil , Jacek Anaszewski , Mauro Carvalho Chehab , Sylwester Nawrocki , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows Date: Wed, 16 Oct 2024 12:22:23 +0200 Message-ID: <16ccf3d588665a5a0dda91cbb04374d6aea99ca6.1729074076.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.47.0 In-Reply-To: References: MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20241016_032239_162389_3C9557E6 X-CRM114-Status: GOOD ( 14.77 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The current logic allows word to be less than 2. If this happens, there will be buffer overflows. Add extra checks to prevent it. While here, remove an unused word = 0 assignment. Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433") Cc: stable@vger.kernel.org Signed-off-by: Mauro Carvalho Chehab Reviewed-by: Jacek Anaszewski --- .../media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c index d2c4a0178b3c..1db4609b3557 100644 --- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c +++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c @@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; jpeg_buffer.curr = 0; - word = 0; - if (get_word_be(&jpeg_buffer, &word)) return; - jpeg_buffer.size = (long)word - 2; + + if (word < 2) + jpeg_buffer.size = 0; + else + jpeg_buffer.size = (long)word - 2; + jpeg_buffer.data += 2; jpeg_buffer.curr = 0; @@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word) if (byte == -1) return -1; *word = (unsigned int)byte | temp; + return 0; } @@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, if (get_word_be(&jpeg_buffer, &word)) break; length = (long)word - 2; - if (!length) + if (length <= 0) return false; sof = jpeg_buffer.curr; /* after 0xffc0 */ sof_len = length; @@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, if (get_word_be(&jpeg_buffer, &word)) break; length = (long)word - 2; - if (!length) + if (length <= 0) return false; if (n_dqt >= S5P_JPEG_MAX_MARKER) return false; @@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, if (get_word_be(&jpeg_buffer, &word)) break; length = (long)word - 2; - if (!length) + if (length <= 0) return false; if (n_dht >= S5P_JPEG_MAX_MARKER) return false; @@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, if (get_word_be(&jpeg_buffer, &word)) break; length = (long)word - 2; + /* No need to check underflows as skip() does it */ skip(&jpeg_buffer, length); break; }