[media] zr364xx: enforce minimum size when reading header

[ Upstream commit ee0fe833d96793853335844b6d99fb76bd12cbeb ]

This code copies actual_length-128 bytes from the header, which will
underflow if the received buffer is too small.

Signed-off-by: Alyssa Milburn <amilburn@zall.org>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>

diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c
index ca850316d379062271352f7abb54d3bd4cb7c84c..63a603b41b7e006d5aa48f441b25f17e89f5f57b 100644 (file)
--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -605,6 +605,14 @@ static int zr364xx_read_video_callback(struct zr364xx_camera *cam,
        ptr = pdest = frm->lpvbits;
 
        if (frm->ulState == ZR364XX_READ_IDLE) {
+               if (purb->actual_length < 128) {
+                       /* header incomplete */
+                       dev_info(&cam->udev->dev,
+                                "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
+                                __func__, purb->actual_length);
+                       return -EINVAL;
+               }
+
                frm->ulState = ZR364XX_READ_FRAME;
                frm->cur_size = 0;