summaryrefslogtreecommitdiff
path: root/drivers/media/usb/uvc/uvc_video.c
diff options
context:
space:
mode:
authorAlistair Strachan <astrachan@google.com>2018-12-18 20:32:48 -0500
committerMauro Carvalho Chehab <mchehab+samsung@kernel.org>2019-02-07 11:54:14 -0500
commit47bb117911b051bbc90764a8bff96543cbd2005f (patch)
tree888c4dadbb2393f158b69e5cb790f960c9feacb0 /drivers/media/usb/uvc/uvc_video.c
parent69a9005789ad18806490bd8dc70dd6458319cd28 (diff)
media: uvcvideo: Fix 'type' check leading to overflow
When initially testing the Camera Terminal Descriptor wTerminalType field (buffer[4]), no mask is used. Later in the function, the MSB is overloaded to store the descriptor subtype, and so a mask of 0x7fff is used to check the type. If a descriptor is specially crafted to set this overloaded bit in the original wTerminalType field, the initial type check will fail (falling through, without adjusting the buffer size), but the later type checks will pass, assuming the buffer has been made suitably large, causing an overflow. Avoid this problem by checking for the MSB in the wTerminalType field. If the bit is set, assume the descriptor is bad, and abort parsing it. Originally reported here: https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8 A similar (non-compiling) patch was provided at that time. Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Alistair Strachan <astrachan@google.com> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'drivers/media/usb/uvc/uvc_video.c')
0 files changed, 0 insertions, 0 deletions