diff options
author | Hans Verkuil <hverkuil@xs4all.nl> | 2018-11-17 06:25:08 -0500 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2018-11-20 12:53:36 -0500 |
commit | cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e (patch) | |
tree | 987ee0eccbd2b7cb8435c7527344e81d9d4b38b1 /drivers/media/platform/vicodec | |
parent | 0408b205f1ae60c1b99c9888ac0326543d96a091 (diff) |
media: vicodec: fix memchr() kernel oops
The size passed to memchr is too large as it assumes the search
starts at the start of the buffer, but it can start at an offset.
Cc: <stable@vger.kernel.org> # for v4.19 and up
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'drivers/media/platform/vicodec')
-rw-r--r-- | drivers/media/platform/vicodec/vicodec-core.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c index b292cff26c86..013cdebecbc4 100644 --- a/drivers/media/platform/vicodec/vicodec-core.c +++ b/drivers/media/platform/vicodec/vicodec-core.c @@ -304,7 +304,8 @@ restart: for (; p < p_out + sz; p++) { u32 copy; - p = memchr(p, magic[ctx->comp_magic_cnt], sz); + p = memchr(p, magic[ctx->comp_magic_cnt], + p_out + sz - p); if (!p) { ctx->comp_magic_cnt = 0; break; |