media: s5p-jpeg: prevent buffer overflows (ddf4b47d) · Commits · EulixOS / Software / Kernel

drivers/media/platform/s5p-jpeg/jpeg-core.c

+11 −6

Original line number	Diff line number	Diff line
		@@ -803,11 +803,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx)
		(unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
		jpeg_buffer.curr = 0;

		word = 0;

		if (get_word_be(&jpeg_buffer, &word))
		return;

		if (word < 2)
		jpeg_buffer.size = 0;
		else
		jpeg_buffer.size = (long)word - 2;

		jpeg_buffer.data += 2;
		jpeg_buffer.curr = 0;

		@@ -1086,6 +1089,7 @@ static int get_word_be(struct s5p_jpeg_buffer buf, unsigned int word)
		if (byte == -1)
		return -1;
		*word = (unsigned int)byte \| temp;

		return 0;
		}

		@@ -1173,7 +1177,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
		if (get_word_be(&jpeg_buffer, &word))
		break;
		length = (long)word - 2;
		if (!length)
		if (length <= 0)
		return false;
		sof = jpeg_buffer.curr; /* after 0xffc0 */
		sof_len = length;
		@@ -1204,7 +1208,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
		if (get_word_be(&jpeg_buffer, &word))
		break;
		length = (long)word - 2;
		if (!length)
		if (length <= 0)
		return false;
		if (n_dqt >= S5P_JPEG_MAX_MARKER)
		return false;
		@@ -1217,7 +1221,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
		if (get_word_be(&jpeg_buffer, &word))
		break;
		length = (long)word - 2;
		if (!length)
		if (length <= 0)
		return false;
		if (n_dht >= S5P_JPEG_MAX_MARKER)
		return false;
		@@ -1242,6 +1246,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
		if (get_word_be(&jpeg_buffer, &word))
		break;
		length = (long)word - 2;
		/* No need to check underflows as skip() does it */
		skip(&jpeg_buffer, length);
		break;
		}