From: Hans Verkuil <hverkuil@xs4all.nl>
Date: Sat, 17 Nov 2018 11:25:08 +0000 (-0500)
Subject: media: vicodec: fix memchr() kernel oops
X-Git-Tag: v4.20-rc6~41^2~5
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e;p=uclinux-h8%2Flinux.git

media: vicodec: fix memchr() kernel oops

The size passed to memchr is too large as it assumes the search
starts at the start of the buffer, but it can start at an offset.

Cc: <stable@vger.kernel.org>      # for v4.19 and up
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
---

diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
index b292cff26c86..013cdebecbc4 100644
--- a/drivers/media/platform/vicodec/vicodec-core.c
+++ b/drivers/media/platform/vicodec/vicodec-core.c
@@ -304,7 +304,8 @@ restart:
 		for (; p < p_out + sz; p++) {
 			u32 copy;
 
-			p = memchr(p, magic[ctx->comp_magic_cnt], sz);
+			p = memchr(p, magic[ctx->comp_magic_cnt],
+				   p_out + sz - p);
 			if (!p) {
 				ctx->comp_magic_cnt = 0;
 				break;