media: s5p-jpeg: prevent buffer overflows

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The current logic allows word to be less than 2. If this happens,
there will be buffer overflows, as reported by smatch. Add extra
checks to prevent it.

While here, remove an unused word = 0 assignment.

Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>

Mauro Carvalho Chehab 2 years ago 14a22762 458ea1c0

+11 -6

1 changed file

expand all

drivers

media

platform

samsung

s5p-jpeg

jpeg-core.c

+11 -6

drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c

··· 775 775 (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; 776 776 jpeg_buffer.curr = 0; 777 777 778 - word = 0; 779 - 780 778 if (get_word_be(&jpeg_buffer, &word)) 781 779 return; 782 - jpeg_buffer.size = (long)word - 2; 780 + 781 + if (word < 2) 782 + jpeg_buffer.size = 0; 783 + else 784 + jpeg_buffer.size = (long)word - 2; 785 + 783 786 jpeg_buffer.data += 2; 784 787 jpeg_buffer.curr = 0; 785 788 ··· 1061 1058 if (byte == -1) 1062 1059 return -1; 1063 1060 *word = (unsigned int)byte | temp; 1061 + 1064 1062 return 0; 1065 1063 } 1066 1064 ··· 1149 1145 if (get_word_be(&jpeg_buffer, &word)) 1150 1146 break; 1151 1147 length = (long)word - 2; 1152 - if (!length) 1148 + if (length <= 0) 1153 1149 return false; 1154 1150 sof = jpeg_buffer.curr; /* after 0xffc0 */ 1155 1151 sof_len = length; ··· 1180 1176 if (get_word_be(&jpeg_buffer, &word)) 1181 1177 break; 1182 1178 length = (long)word - 2; 1183 - if (!length) 1179 + if (length <= 0) 1184 1180 return false; 1185 1181 if (n_dqt >= S5P_JPEG_MAX_MARKER) 1186 1182 return false; ··· 1193 1189 if (get_word_be(&jpeg_buffer, &word)) 1194 1190 break; 1195 1191 length = (long)word - 2; 1196 - if (!length) 1192 + if (length <= 0) 1197 1193 return false; 1198 1194 if (n_dht >= S5P_JPEG_MAX_MARKER) 1199 1195 return false; ··· 1218 1214 if (get_word_be(&jpeg_buffer, &word)) 1219 1215 break; 1220 1216 length = (long)word - 2; 1217 + /* No need to check underflows as skip() does it */ 1221 1218 skip(&jpeg_buffer, length); 1222 1219 break; 1223 1220 }