diff options
| author | Pete Eberlein <pete@sensoray.com> | 2010-09-23 13:43:41 -0400 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2010-10-20 23:17:03 -0400 |
| commit | a716e9d75f04ff71fb5e391a7a189b6f1b032bbc (patch) | |
| tree | 7268fc4aba94503801ab6f322cf9f52aff854aa4 /drivers | |
| parent | 94d4350c544066d590eee93582220128e8be8b1c (diff) | |
[media] go7007: MJPEG buffer overflow
The go7007 driver has a potential buffer overflow and pointer corruption
bug which causes a crash while capturing MJPEG. The motion detection
(MODET) active_map array can be overflowed by JPEG frame data that
emulates a MODET start code. The active_map overflow overwrites the
active_buf pointer, causing a crash.
The JPEG data that emulated MODET start code was being removed from the
output, resulting in garbled JPEG frames. Therefore ignore MODET start
codes when MODET is not enabled.
Signed-off-by: Pete Eberlein <pete@sensoray.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/staging/go7007/go7007-driver.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/drivers/staging/go7007/go7007-driver.c b/drivers/staging/go7007/go7007-driver.c index 372a7c6791ca..b8ecbd889761 100644 --- a/drivers/staging/go7007/go7007-driver.c +++ b/drivers/staging/go7007/go7007-driver.c | |||
| @@ -393,7 +393,8 @@ static void write_bitmap_word(struct go7007 *go) | |||
| 393 | for (i = 0; i < 16; ++i) { | 393 | for (i = 0; i < 16; ++i) { |
| 394 | y = (((go->parse_length - 1) << 3) + i) / (go->width >> 4); | 394 | y = (((go->parse_length - 1) << 3) + i) / (go->width >> 4); |
| 395 | x = (((go->parse_length - 1) << 3) + i) % (go->width >> 4); | 395 | x = (((go->parse_length - 1) << 3) + i) % (go->width >> 4); |
| 396 | go->active_map[stride * y + (x >> 3)] |= | 396 | if (stride * y + (x >> 3) < sizeof(go->active_map)) |
| 397 | go->active_map[stride * y + (x >> 3)] |= | ||
| 397 | (go->modet_word & 1) << (x & 0x7); | 398 | (go->modet_word & 1) << (x & 0x7); |
| 398 | go->modet_word >>= 1; | 399 | go->modet_word >>= 1; |
| 399 | } | 400 | } |
| @@ -485,6 +486,15 @@ void go7007_parse_video_stream(struct go7007 *go, u8 *buf, int length) | |||
| 485 | } | 486 | } |
| 486 | break; | 487 | break; |
| 487 | case STATE_00_00_01: | 488 | case STATE_00_00_01: |
| 489 | if (buf[i] == 0xF8 && go->modet_enable == 0) { | ||
| 490 | /* MODET start code, but MODET not enabled */ | ||
| 491 | store_byte(go->active_buf, 0x00); | ||
| 492 | store_byte(go->active_buf, 0x00); | ||
| 493 | store_byte(go->active_buf, 0x01); | ||
| 494 | store_byte(go->active_buf, 0xF8); | ||
| 495 | go->state = STATE_DATA; | ||
| 496 | break; | ||
| 497 | } | ||
| 488 | /* If this is the start of a new MPEG frame, | 498 | /* If this is the start of a new MPEG frame, |
| 489 | * get a new buffer */ | 499 | * get a new buffer */ |
| 490 | if ((go->format == GO7007_FORMAT_MPEG1 || | 500 | if ((go->format == GO7007_FORMAT_MPEG1 || |