[media] gspca_topro: Add a couple of missing length check in the packet parsing code

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>

authored by

Hans de Goede and committed by

Mauro Carvalho Chehab 12 years ago e15fd244 ce4452e6

+9 -1

1 changed file

expand all

drivers

media

usb

gspca

topro.c

+9 -1

drivers/media/usb/gspca/topro.c

··· 4631 4631 } 4632 4632 data++; 4633 4633 len--; 4634 + if (len < 2) { 4635 + gspca_dev->last_packet_type = DISCARD_PACKET; 4636 + return; 4637 + } 4634 4638 if (*data == 0xff && data[1] == 0xd8) { 4635 4639 /*fixme: there may be information in the 4 high bits*/ 4640 + if (len < 7) { 4641 + gspca_dev->last_packet_type = DISCARD_PACKET; 4642 + return; 4643 + } 4636 4644 if ((data[6] & 0x0f) != sd->quality) 4637 4645 set_dqt(gspca_dev, data[6] & 0x0f); 4638 4646 gspca_frame_add(gspca_dev, FIRST_PACKET, ··· 4680 4672 gspca_dev->last_packet_type = DISCARD_PACKET; 4681 4673 break; 4682 4674 case 0xcc: 4683 - if (data[1] != 0xff || data[2] != 0xd8) 4675 + if (len >= 3 && (data[1] != 0xff || data[2] != 0xd8)) 4684 4676 gspca_frame_add(gspca_dev, INTER_PACKET, 4685 4677 data + 1, len - 1); 4686 4678 else