[PATCH 5.10 215/599] media: video/hdmi: handle short reads of hdmi info frame.

From: Greg Kroah-Hartman
Date: Tue Apr 05 2022 - 20:19:12 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.10 046/599] NFSD: prevent underflow in nfssvc_decode_writeargs()"
Previous message: Jeff Layton: "[PATCH v13 05/59] libceph: support sparse reads on msgr2 secure codepath"
In reply to: Greg Kroah-Hartman: "[PATCH 5.10 110/599] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.10 046/599] NFSD: prevent underflow in nfssvc_decode_writeargs()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tom Rix <trix@xxxxxxxxxx>

[ Upstream commit 4a92fc6e55da5b87cecb572275deaff6ac9dd27e ]

Calling hdmi_infoframe_unpack() with static sizeof(buffer) skips all
the size checking done later in hdmi_infoframe_unpack(). A better
value is the amount of data read into buffer.

Fixes: 480b8b3e42c3 ("video/hdmi: Pass buffer size to infoframe unpack functions")
Signed-off-by: Tom Rix <trix@xxxxxxxxxx>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/media/i2c/adv7511-v4l2.c | 2 +-
drivers/media/i2c/adv7604.c | 2 +-
drivers/media/i2c/adv7842.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c
index ab7883cff8b2..9f5713b76794 100644
--- a/drivers/media/i2c/adv7511-v4l2.c
+++ b/drivers/media/i2c/adv7511-v4l2.c
@@ -555,7 +555,7 @@ static void log_infoframe(struct v4l2_subdev *sd, const struct adv7511_cfg_read_
buffer[3] = 0;
buffer[3] = hdmi_infoframe_checksum(buffer, len + 4);

- if (hdmi_infoframe_unpack(&frame, buffer, sizeof(buffer)) < 0) {
+ if (hdmi_infoframe_unpack(&frame, buffer, len + 4) < 0) {
v4l2_err(sd, "%s: unpack of %s infoframe failed\n", __func__, cri->desc);
return;
}
diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
index d1f58795794f..8cf1704308bf 100644
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -2454,7 +2454,7 @@ static int adv76xx_read_infoframe(struct v4l2_subdev *sd, int index,
buffer[i + 3] = infoframe_read(sd,
adv76xx_cri[index].payload_addr + i);

- if (hdmi_infoframe_unpack(frame, buffer, sizeof(buffer)) < 0) {
+ if (hdmi_infoframe_unpack(frame, buffer, len + 3) < 0) {
v4l2_err(sd, "%s: unpack of %s infoframe failed\n", __func__,
adv76xx_cri[index].desc);
return -ENOENT;
diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
index f7d2b6cd3008..a870117feb44 100644
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -2574,7 +2574,7 @@ static void log_infoframe(struct v4l2_subdev *sd, const struct adv7842_cfg_read_
for (i = 0; i < len; i++)
buffer[i + 3] = infoframe_read(sd, cri->payload_addr + i);

- if (hdmi_infoframe_unpack(&frame, buffer, sizeof(buffer)) < 0) {
+ if (hdmi_infoframe_unpack(&frame, buffer, len + 3) < 0) {
v4l2_err(sd, "%s: unpack of %s infoframe failed\n", __func__, cri->desc);
return;
}
--
2.34.1

Next message: Greg Kroah-Hartman: "[PATCH 5.10 046/599] NFSD: prevent underflow in nfssvc_decode_writeargs()"
Previous message: Jeff Layton: "[PATCH v13 05/59] libceph: support sparse reads on msgr2 secure codepath"
In reply to: Greg Kroah-Hartman: "[PATCH 5.10 110/599] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.10 046/599] NFSD: prevent underflow in nfssvc_decode_writeargs()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]