V4L/DVB (8207): uvcvideo: Fix a buffer overflow in format descriptor parsing

author Laurent Pinchart <laurent.pinchart@skynet.be>

Fri, 4 Jul 2008 03:34:59 +0000 (00:34 -0300)

committer Mauro Carvalho Chehab <mchehab@infradead.org>

Sun, 20 Jul 2008 10:17:34 +0000 (07:17 -0300)
author Laurent Pinchart <laurent.pinchart@skynet.be>
Fri, 4 Jul 2008 03:34:59 +0000 (00:34 -0300)
committer Mauro Carvalho Chehab <mchehab@infradead.org>
Sun, 20 Jul 2008 10:17:34 +0000 (07:17 -0300)
diff --git a/drivers/media/video/uvc/uvc_driver.c b/drivers/media/video/uvc/uvc_driver.c

index 60ced58..86bb16d 100644 (file)
--- a/drivers/media/video/uvc/uvc_driver.c
+++ b/drivers/media/video/uvc/uvc_driver.c
@@ -298,7 +298,8 @@ static int uvc_parse_format(struct uvc_device *dev,
         switch (buffer[2]) {
         case VS_FORMAT_UNCOMPRESSED:
         case VS_FORMAT_FRAME_BASED:
-               if (buflen < 27) {
+               n = buffer[2] == VS_FORMAT_UNCOMPRESSED ? 27 : 28;
+               if (buflen < n) {
                         uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming"
                                "interface %d FORMAT error\n",
                                dev->udev->devnum,
author	Laurent Pinchart <laurent.pinchart@skynet.be>
	Fri, 4 Jul 2008 03:34:59 +0000 (00:34 -0300)
committer	Mauro Carvalho Chehab <mchehab@infradead.org>
	Sun, 20 Jul 2008 10:17:34 +0000 (07:17 -0300)