[PATCH 5.4 38/66] media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

15 Nov 2024

5.4-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Benoit Sevens bsevens@google.com
commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream.
This can lead to out of bounds writes since frames of this type were not
taken into account when calculating the size of the frames buffer in
uvc_parse_streaming.
Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
Signed-off-by: Benoit Sevens bsevens@google.com
Cc: stable@vger.kernel.org
Acked-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com
Signed-off-by: Hans Verkuil hverkuil@xs4all.nl
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 drivers/media/usb/uvc/uvc_driver.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -602,7 +602,7 @@ static int uvc_parse_format(struct uvc_d
    /* Parse the frame descriptors. Only uncompressed, MJPEG and frame
     * based formats have frame descriptors.
     */
-	while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
+	while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
           buffer[2] == ftype) {
    	frame = &format->frame[format->nframes];
    	if (ftype != UVC_VS_FRAME_FRAME_BASED)

    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 5.4 38/66] media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format