media: s5p-jpeg: prevent buffer overflows

author Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

Tue, 15 Oct 2024 09:10:31 +0000 (11:10 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 14 Nov 2024 12:15:13 +0000 (13:15 +0100)
author Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Tue, 15 Oct 2024 09:10:31 +0000 (11:10 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 14 Nov 2024 12:15:13 +0000 (13:15 +0100)
diff --git a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c

index 55814041b8d8f3f6578c9a25bce1f588d94af184..d8d1f17cee83f351f8f69298e9d72e3489b922e8 100644 (file)
--- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx)
                 (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
         jpeg_buffer.curr = 0;
  
-       word = 0;
-
         if (get_word_be(&jpeg_buffer, &word))
                 return;
-       jpeg_buffer.size = (long)word - 2;
+
+       if (word < 2)
+               jpeg_buffer.size = 0;
+       else
+               jpeg_buffer.size = (long)word - 2;
+
         jpeg_buffer.data += 2;
         jpeg_buffer.curr = 0;
  
@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word)
         if (byte == -1)
                 return -1;
         *word = (unsigned int)byte | temp;
+
         return 0;
  }
  
@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
                         if (get_word_be(&jpeg_buffer, &word))
                                 break;
                         length = (long)word - 2;
-                       if (!length)
+                       if (length <= 0)
                                 return false;
                         sof = jpeg_buffer.curr; /* after 0xffc0 */
                         sof_len = length;
@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
                         if (get_word_be(&jpeg_buffer, &word))
                                 break;
                         length = (long)word - 2;
-                       if (!length)
+                       if (length <= 0)
                                 return false;
                         if (n_dqt >= S5P_JPEG_MAX_MARKER)
                                 return false;
@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
                         if (get_word_be(&jpeg_buffer, &word))
                                 break;
                         length = (long)word - 2;
-                       if (!length)
+                       if (length <= 0)
                                 return false;
                         if (n_dht >= S5P_JPEG_MAX_MARKER)
                                 return false;
@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
                         if (get_word_be(&jpeg_buffer, &word))
                                 break;
                         length = (long)word - 2;
+                       /* No need to check underflows as skip() does it  */
                         skip(&jpeg_buffer, length);
                         break;
                 }
author	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
	Tue, 15 Oct 2024 09:10:31 +0000 (11:10 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 14 Nov 2024 12:15:13 +0000 (13:15 +0100)