From a716e9d75f04ff71fb5e391a7a189b6f1b032bbc Mon Sep 17 00:00:00 2001 From: Pete Eberlein Date: Thu, 23 Sep 2010 14:43:41 -0300 Subject: [PATCH] [media] go7007: MJPEG buffer overflow The go7007 driver has a potential buffer overflow and pointer corruption bug which causes a crash while capturing MJPEG. The motion detection (MODET) active_map array can be overflowed by JPEG frame data that emulates a MODET start code. The active_map overflow overwrites the active_buf pointer, causing a crash. The JPEG data that emulated MODET start code was being removed from the output, resulting in garbled JPEG frames. Therefore ignore MODET start codes when MODET is not enabled. Signed-off-by: Pete Eberlein Signed-off-by: Mauro Carvalho Chehab --- drivers/staging/go7007/go7007-driver.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/staging/go7007/go7007-driver.c b/drivers/staging/go7007/go7007-driver.c index 372a7c6791ca..b8ecbd889761 100644 --- a/drivers/staging/go7007/go7007-driver.c +++ b/drivers/staging/go7007/go7007-driver.c @@ -393,7 +393,8 @@ static void write_bitmap_word(struct go7007 *go) for (i = 0; i < 16; ++i) { y = (((go->parse_length - 1) << 3) + i) / (go->width >> 4); x = (((go->parse_length - 1) << 3) + i) % (go->width >> 4); - go->active_map[stride * y + (x >> 3)] |= + if (stride * y + (x >> 3) < sizeof(go->active_map)) + go->active_map[stride * y + (x >> 3)] |= (go->modet_word & 1) << (x & 0x7); go->modet_word >>= 1; } @@ -485,6 +486,15 @@ void go7007_parse_video_stream(struct go7007 *go, u8 *buf, int length) } break; case STATE_00_00_01: + if (buf[i] == 0xF8 && go->modet_enable == 0) { + /* MODET start code, but MODET not enabled */ + store_byte(go->active_buf, 0x00); + store_byte(go->active_buf, 0x00); + store_byte(go->active_buf, 0x01); + store_byte(go->active_buf, 0xF8); + go->state = STATE_DATA; + break; + } /* If this is the start of a new MPEG frame, * get a new buffer */ if ((go->format == GO7007_FORMAT_MPEG1 || -- 2.39.2