Commit 94994898 authored by Mauro Carvalho Chehab's avatar Mauro Carvalho Chehab Committed by Zhang Kunbo
Browse files

media: s5p-jpeg: prevent buffer overflows 

stable inclusion
from stable-v5.10.230
commit f54e8e1e39dacccebcfb9a9a36f0552a0a97e2ef
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5KQX
CVE: CVE-2024-53061

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f54e8e1e39dacccebcfb9a9a36f0552a0a97e2ef



--------------------------------

commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream.

The current logic allows word to be less than 2. If this happens,
there will be buffer overflows, as reported by smatch. Add extra
checks to prevent it.

While here, remove an unused word = 0 assignment.

Fixes: 6c96dbbc ("[media] s5p-jpeg: add support for 5433")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
Reviewed-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarZhang Kunbo <zhangkunbo@huawei.com>
parent 81248561

drivers/media/platform/s5p-jpeg/jpeg-core.c

+11 −6
Original line number Diff line number Diff line
@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) 
		(unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;

	jpeg_buffer.curr = 0;



	word = 0;



	if (get_word_be(&jpeg_buffer, &word))

		return;



	if (word < 2)

		jpeg_buffer.size = 0;

	else

		jpeg_buffer.size = (long)word - 2;



	jpeg_buffer.data += 2;

	jpeg_buffer.curr = 0;
@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word) 
	if (byte == -1)

		return -1;

	*word = (unsigned int)byte | temp;



	return 0;

}
@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, 
			if (get_word_be(&jpeg_buffer, &word))

				break;

			length = (long)word - 2;

			if (!length)

			if (length <= 0)

				return false;

			sof = jpeg_buffer.curr; /* after 0xffc0 */

			sof_len = length;
@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, 
			if (get_word_be(&jpeg_buffer, &word))

				break;

			length = (long)word - 2;

			if (!length)

			if (length <= 0)

				return false;

			if (n_dqt >= S5P_JPEG_MAX_MARKER)

				return false;
@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, 
			if (get_word_be(&jpeg_buffer, &word))

				break;

			length = (long)word - 2;

			if (!length)

			if (length <= 0)

				return false;

			if (n_dht >= S5P_JPEG_MAX_MARKER)

				return false;
@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, 
			if (get_word_be(&jpeg_buffer, &word))

				break;

			length = (long)word - 2;

			/* No need to check underflows as skip() does it  */

			skip(&jpeg_buffer, length);

			break;

		}