Commit 79178319 authored Dec 07, 2024 by Benoit Sevens Committed by Zeng Heng Dec 07, 2024

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

stable inclusion
from stable-v5.10.230
commit faff5bbb2762c44ec7426037b3000e77a11d6773
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB8G1D
CVE: CVE-2024-53104

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=faff5bbb2762c44ec7426037b3000e77a11d6773



--------------------------------

commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream.

This can lead to out of bounds writes since frames of this type were not
taken into account when calculating the size of the frames buffer in
uvc_parse_streaming.

Fixes: c0efd232 ("V4L/DVB (8145a): USB Video Class driver")
Signed-off-by: Benoit Sevens <bsevens@google.com>
Cc: stable@vger.kernel.org
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zeng Heng <zengheng4@huawei.com>

parent e416567e

drivers/media/usb/uvc/uvc_driver.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -575,7 +575,7 @@ static int uvc_parse_format(struct uvc_device *dev,
		/* Parse the frame descriptors. Only uncompressed, MJPEG and frame
		* based formats have frame descriptors.
		*/
		while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
		while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
		buffer[2] == ftype) {
		frame = &format->frame[format->nframes];
		if (ftype != UVC_VS_FRAME_FRAME_BASED)