media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

variable *nplanes is provided by user via system call argument. The
possible value of q_data->fmt->num_planes is 1-3, while the value
of *nplanes can be 1-8. The array access by index i can cause array
out-of-bounds.

Fix this bug by checking *nplanes against the array size.

Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>

authored by

Wei Chen and committed by

Mauro Carvalho Chehab 3 years ago 8fbcf730 e2a10b38

1 changed file

expand all

drivers

media

platform

mediatek

vcodec

mtk_vcodec_dec.c

drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c

··· 735 735 } 736 736 737 737 if (*nplanes) { 738 + if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) { 739 + if (*nplanes != q_data->fmt->num_planes) 740 + return -EINVAL; 741 + } else { 742 + if (*nplanes != 1) 743 + return -EINVAL; 744 + } 738 745 for (i = 0; i < *nplanes; i++) { 739 746 if (sizes[i] < q_data->sizeimage[i]) 740 747 return -EINVAL;