diff mbox series

mediatek/jpeg: validate data_offsets for v4l2 planes

Message ID 20220623191422.1157518-1-greenjustin@chromium.org
State New
Headers show
Series mediatek/jpeg: validate data_offsets for v4l2 planes | expand

Commit Message

Justin Green June 23, 2022, 7:14 p.m. UTC 
Validate V4L2 plane data_offset values. We need to make sure the size of
the image we're encoding does not exceed the size of the buffer minus
its offset.

Signed-off-by: Justin Green <greenjustin@google.com>
---
 drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
index bc5b0a0168ec..8f5c1b9937bc 100644
--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
@@ -687,6 +687,10 @@  static int mtk_jpeg_buf_prepare(struct vb2_buffer *vb)
 
 	for (i = 0; i < q_data->fmt->colplanes; i++) {
 		plane_fmt = q_data->pix_mp.plane_fmt[i];
+                if (vb->planes[i].data_offset > vb2_plane_size(vb, i) ||
+                    vb2_plane_size(vb, i) - vb->planes[i].data_offset
+                    < plane_fmt.sizeimage)
+                    return -EINVAL;
 		if (ctx->enable_exif &&
 		    q_data->fmt->fourcc == V4L2_PIX_FMT_JPEG)
 			vb2_set_plane_payload(vb, i, plane_fmt.sizeimage +