| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610123526.37316-1-yjjuny.lee@samsung.com> Date: Tue, 10 Jun 2025 21:35:26 +0900 From: Youngjun Lee <yjjuny.lee@...sung.com> To: ribalda@...omium.org Cc: laurent.pinchart@...asonboard.com, hdegoede@...hat.com, mchehab@...nel.org, linux-media@...r.kernel.org, linux-kernel@...r.kernel.org, Youngjun Lee <yjjuny.lee@...sung.com> Subject: [PATCH 2/2] usb: uvc: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format(). Signed-off-by: Youngjun Lee <yjjuny.lee@...sung.com> --- drivers/media/usb/uvc/uvc_driver.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index da24a655ab68..1100469a83a2 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_device *dev, u8 ftype; int ret; + if (buflen < 4) + return -EINVAL; + format->type = buffer[2]; format->index = buffer[3]; format->frames = frames; -- 2.43.0
Powered by blists - more mailing lists