summaryrefslogtreecommitdiff
path: root/drivers/media/platform/vicodec
diff options
context:
space:
mode:
authorHans Verkuil <hverkuil@xs4all.nl>2018-11-17 06:25:08 -0500
committerMauro Carvalho Chehab <mchehab+samsung@kernel.org>2018-11-20 12:53:36 -0500
commitcb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e (patch)
tree987ee0eccbd2b7cb8435c7527344e81d9d4b38b1 /drivers/media/platform/vicodec
parent0408b205f1ae60c1b99c9888ac0326543d96a091 (diff)
media: vicodec: fix memchr() kernel oops
The size passed to memchr is too large as it assumes the search starts at the start of the buffer, but it can start at an offset. Cc: <stable@vger.kernel.org> # for v4.19 and up Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'drivers/media/platform/vicodec')
-rw-r--r--drivers/media/platform/vicodec/vicodec-core.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
index b292cff26c86..013cdebecbc4 100644
--- a/drivers/media/platform/vicodec/vicodec-core.c
+++ b/drivers/media/platform/vicodec/vicodec-core.c
@@ -304,7 +304,8 @@ restart:
for (; p < p_out + sz; p++) {
u32 copy;
- p = memchr(p, magic[ctx->comp_magic_cnt], sz);
+ p = memchr(p, magic[ctx->comp_magic_cnt],
+ p_out + sz - p);
if (!p) {
ctx->comp_magic_cnt = 0;
break;