| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610113722.36820-1-yjjuny.lee@samsung.com>
Date: Tue, 10 Jun 2025 20:37:22 +0900
From: Youngjun Lee <yjjuny.lee@...sung.com>
To: laurent.pinchart@...asonboard.com, hdegoede@...hat.com,
mchehab@...nel.org
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org, Youngjun Lee
<yjjuny.lee@...sung.com>
Subject: [PATCH] usb: uvc: Fix 1-byte out-of-bounds read in
uvc_parse_format()
The buffer length check before calling uvc_parse_format() only ensured
that the buffer has at least 3 bytes (buflen > 2), buf the function
accesses buffer[3], requiring at least 4 bytes.
This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
Fix it by checking that the buffer has at least 4 bytes before passing it
to uvc_parse_format().
Signed-off-by: Youngjun Lee <yjjuny.lee@...sung.com>
---
drivers/media/usb/uvc/uvc_driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index da24a655ab68..60367d9e1c05 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -729,7 +729,7 @@ static int uvc_parse_streaming(struct uvc_device *dev,
streaming->nformats = 0;
/* Parse the format descriptors. */
- while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE) {
+ while (buflen > 3 && buffer[1] == USB_DT_CS_INTERFACE) {
switch (buffer[2]) {
case UVC_VS_FORMAT_UNCOMPRESSED:
case UVC_VS_FORMAT_MJPEG:
--
2.43.0
Powered by blists - more mailing lists