git.openpandora.org / pandora-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 94d4350)
[media] go7007: MJPEG buffer overflow
authorPete Eberlein <pete@sensoray.com>
Thu, 23 Sep 2010 17:43:41 +0000 (14:43 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Thu, 21 Oct 2010 03:17:03 +0000 (01:17 -0200)
The go7007 driver has a potential buffer overflow and pointer corruption
bug which causes a crash while capturing MJPEG. The motion detection
(MODET) active_map array can be overflowed by JPEG frame data that
emulates a MODET start code. The active_map overflow overwrites the
active_buf pointer, causing a crash.

The JPEG data that emulated MODET start code was being removed from the
output, resulting in garbled JPEG frames. Therefore ignore MODET start
codes when MODET is not enabled.

Signed-off-by: Pete Eberlein <pete@sensoray.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/staging/go7007/go7007-driver.c patch | blob | history

diff --git a/drivers/staging/go7007/go7007-driver.c b/drivers/staging/go7007/go7007-driver.c
index 372a7c6..b8ecbd8 100644 (file)
--- a/drivers/staging/go7007/go7007-driver.c
+++ b/drivers/staging/go7007/go7007-driver.c
@@ -393,7 +393,8 @@ static void write_bitmap_word(struct go7007 *go)
        for (i = 0; i < 16; ++i) {
                y = (((go->parse_length - 1) << 3) + i) / (go->width >> 4);
                x = (((go->parse_length - 1) << 3) + i) % (go->width >> 4);
-               go->active_map[stride * y + (x >> 3)] |=
+               if (stride * y + (x >> 3) < sizeof(go->active_map))
+                       go->active_map[stride * y + (x >> 3)] |=
                                        (go->modet_word & 1) << (x & 0x7);
                go->modet_word >>= 1;
        }
@@ -485,6 +486,15 @@ void go7007_parse_video_stream(struct go7007 *go, u8 *buf, int length)
                        }
                        break;
                case STATE_00_00_01:
+                       if (buf[i] == 0xF8 && go->modet_enable == 0) {
+                               /* MODET start code, but MODET not enabled */
+                               store_byte(go->active_buf, 0x00);
+                               store_byte(go->active_buf, 0x00);
+                               store_byte(go->active_buf, 0x01);
+                               store_byte(go->active_buf, 0xF8);
+                               go->state = STATE_DATA;
+                               break;
+                       }
                        /* If this is the start of a new MPEG frame,
                         * get a new buffer */
                        if ((go->format == GO7007_FORMAT_MPEG1 ||
Pandora Kernel Repository