media: vcodec: Fix potential array out-of-bounds in encoder queue_setup

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

variable *nplanes is provided by user via system call argument. The
possible value of q_data->fmt->num_planes is 1-3, while the value
of *nplanes can be 1-8. The array access by index i can cause array
out-of-bounds.

Fix this bug by checking *nplanes against the array size.

Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver")
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

authored by

Wei Chen and committed by

Hans Verkuil 2 years ago e7f2e656 2908042a

1 changed file

expand all

drivers

media

platform

mediatek

vcodec

mtk_vcodec_enc.c

drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c

··· 821 821 return -EINVAL; 822 822 823 823 if (*nplanes) { 824 + if (*nplanes != q_data->fmt->num_planes) 825 + return -EINVAL; 824 826 for (i = 0; i < *nplanes; i++) 825 827 if (sizes[i] < q_data->sizeimage[i]) 826 828 return -EINVAL;