OSDN Git Service

(root) / uclinux-h8 / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0408b20)
media: vicodec: fix memchr() kernel oops
authorHans Verkuil <hverkuil@xs4all.nl>
Sat, 17 Nov 2018 11:25:08 +0000 (06:25 -0500)
committerMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Tue, 20 Nov 2018 17:53:36 +0000 (12:53 -0500)
The size passed to memchr is too large as it assumes the search
starts at the start of the buffer, but it can start at an offset.

Cc: <stable@vger.kernel.org> # for v4.19 and up
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
drivers/media/platform/vicodec/vicodec-core.c patch | blob | history

diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
index b292cff..013cdeb 100644 (file)
--- a/drivers/media/platform/vicodec/vicodec-core.c
+++ b/drivers/media/platform/vicodec/vicodec-core.c
@@ -304,7 +304,8 @@ restart:
                for (; p < p_out + sz; p++) {
                        u32 copy;
 
-                       p = memchr(p, magic[ctx->comp_magic_cnt], sz);
+                       p = memchr(p, magic[ctx->comp_magic_cnt],
+                                  p_out + sz - p);
                        if (!p) {
                                ctx->comp_magic_cnt = 0;
                                break;
About OSDN
Find Software
Develop Software
Help