media: uvcvideo: Fix 'type' check leading to overflow
When initially testing the Camera Terminal Descriptor wTerminalType field (buffer[4]), no mask is used. Later in the function, the MSB is overloaded to store the descriptor subtype, and so a mask of 0x7fff is used to check the type. If a descriptor is specially crafted to set this overloaded bit in the original wTerminalType field, the initial type check will fail (falling through, without adjusting the buffer size), but the later type checks will pass, assuming the buffer has been made suitably large, causing an overflow. Avoid this problem by checking for the MSB in the wTerminalType field. If the bit is set, assume the descriptor is bad, and abort parsing it. Originally reported here: https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8 A similar (non-compiling) patch was provided at that time. Reported-by:syzbot <syzkaller@googlegroups.com> Signed-off-by:
Alistair Strachan <astrachan@google.com> Signed-off-by:
Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by:
Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Loading
-
mentioned in commit 21b67751
-
mentioned in commit 8ba6255c
-
mentioned in commit 41b94849
-
mentioned in commit 0b33b35d
-
mentioned in commit 43d63682
-
mentioned in commit 60aef8ea
-
mentioned in commit 72000863
-
mentioned in commit 446b63f8
-
mentioned in commit 6eef78f9
-
mentioned in commit becbab25
-
mentioned in commit dcc6e71f
Please sign in to comment