diff options
author | Wei Chen <harperchen1110@gmail.com> | 2023-03-29 09:05:13 +0100 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@kernel.org> | 2023-04-15 08:18:56 +0100 |
commit | 8fbcf730cb89c3647f3365226fe7014118fa93c7 (patch) | |
tree | 19db0efedcd8f75db80c4ffc0fa7e345b8ba1f49 /drivers/media | |
parent | e2a10b3801061d05d3e3415b9b824251451cfd6c (diff) |
media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
variable *nplanes is provided by user via system call argument. The
possible value of q_data->fmt->num_planes is 1-3, while the value
of *nplanes can be 1-8. The array access by index i can cause array
out-of-bounds.
Fix this bug by checking *nplanes against the array size.
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Diffstat (limited to 'drivers/media')
-rw-r--r-- | drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c index c99705681a03..93fcea821001 100644 --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c @@ -735,6 +735,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers, } if (*nplanes) { + if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) { + if (*nplanes != q_data->fmt->num_planes) + return -EINVAL; + } else { + if (*nplanes != 1) + return -EINVAL; + } for (i = 0; i < *nplanes; i++) { if (sizes[i] < q_data->sizeimage[i]) return -EINVAL; |