[PATCH] media: mediatek: jpeg: Fix potential array out-of-bounds in mtk_jpeg_queue_setup
499671216 at qq.com
499671216 at qq.com
Sun Jun 11 23:20:13 PDT 2023
From: yqsun1997 <yqsun1997 at gmail.com>
The variable *num_planes is provided by user.
The possible value of q_data->fmt->colplanes is 1-3,
The array access by index can cause array out-of-bounds.
same as commit 8fbcf730
Signed-off-by: yqsun1997 <yqsun1997 at gmail.com>
---
drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
index 0051f372a..de8798511 100644
--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
@@ -689,6 +689,9 @@ static int mtk_jpeg_queue_setup(struct vb2_queue *q,
return -EINVAL;
if (*num_planes) {
+ if (*num_planes != q_data->fmt->num_planes)
+ return -EINVAL;
+
for (i = 0; i < *num_planes; i++)
if (sizes[i] < q_data->pix_mp.plane_fmt[i].sizeimage)
return -EINVAL;
--
2.34.1
More information about the linux-arm-kernel
mailing list