media: vicodec: fix memchr() kernel oops

The size passed to memchr is too large as it assumes the search starts at the start of the buffer, but it can start at an offset. Cc: <stable@vger.kernel.org> # for v4.19 and up Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-11-17 06:25:08 -05:00 · 2018-11-17 06:25:08 -05:00 · cb3b2ffb75
commit cb3b2ffb75
parent 0408b205f1
1 changed files with 2 additions and 1 deletions
--- a/drivers/media/platform/vicodec/vicodec-core.c
+++ b/drivers/media/platform/vicodec/vicodec-core.c
@ -304,7 +304,8 @@ static int job_ready(void *priv)
 		for (; p < p_out + sz; p++) {
 			u32 copy;

-			p = memchr(p, magic[ctx->comp_magic_cnt], sz);
+			p = memchr(p, magic[ctx->comp_magic_cnt],
+				   p_out + sz - p);
 			if (!p) {
 				ctx->comp_magic_cnt = 0;
 				break;