[PATCH openEuler-1.0-LTS] media: s5p-jpeg: prevent buffer overflows

22 Nov 2024

From: Mauro Carvalho Chehab mchehab+huawei@kernel.org
stable inclusion
from stable-v4.19.324
commit c5f6fefcda8fac8f082b6c5bf416567f4e100c51
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5KQX
CVE: CVE-2024-53061
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream.
The current logic allows word to be less than 2. If this happens,
there will be buffer overflows, as reported by smatch. Add extra
checks to prevent it.
While here, remove an unused word = 0 assignment.
Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org
Reviewed-by: Jacek Anaszewski jacek.anaszewski@gmail.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Zhang Kunbo zhangkunbo@huawei.com
---
 drivers/media/platform/s5p-jpeg/jpeg-core.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c
index 350afaa29a62..1cb5b6228214 100644
--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
@@ -803,11 +803,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx)
    	(unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
    jpeg_buffer.curr = 0;
-	word = 0;
-
    if (get_word_be(&jpeg_buffer, &word))
    	return;
-	jpeg_buffer.size = (long)word - 2;
+
+	if (word < 2)
+		jpeg_buffer.size = 0;
+	else
+		jpeg_buffer.size = (long)word - 2;
+
    jpeg_buffer.data += 2;
    jpeg_buffer.curr = 0;
@@ -1086,6 +1089,7 @@ static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word)
    if (byte == -1)
    	return -1;
    *word = (unsigned int)byte | temp;
+
    return 0;
 }
@@ -1173,7 +1177,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
    		if (get_word_be(&jpeg_buffer, &word))
    			break;
    		length = (long)word - 2;
-			if (!length)
+			if (length <= 0)
    			return false;
    		sof = jpeg_buffer.curr; /* after 0xffc0 */
    		sof_len = length;
@@ -1204,7 +1208,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
    		if (get_word_be(&jpeg_buffer, &word))
    			break;
    		length = (long)word - 2;
-			if (!length)
+			if (length <= 0)
    			return false;
    		if (n_dqt >= S5P_JPEG_MAX_MARKER)
    			return false;
@@ -1217,7 +1221,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
    		if (get_word_be(&jpeg_buffer, &word))
    			break;
    		length = (long)word - 2;
-			if (!length)
+			if (length <= 0)
    			return false;
    		if (n_dht >= S5P_JPEG_MAX_MARKER)
    			return false;
@@ -1242,6 +1246,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
    		if (get_word_be(&jpeg_buffer, &word))
    			break;
    		length = (long)word - 2;
+			/* No need to check underflows as skip() does it  */
    		skip(&jpeg_buffer, length);
    		break;
    	}
-- 
2.34.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS] media: s5p-jpeg: prevent buffer overflows