zr364xx: enforce minimum size when reading header

commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream.

This code copies actual_length-128 bytes from the header, which will
underflow if the received buffer is too small.

Signed-off-by: Alyssa Milburn <amilburn@zall.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c
index 7433ba5c4bad8bdf044435977409856b54c9ff9b..fd6a3b36208e7edbbe5f70790576773c7226683a 100644 (file)
--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -604,6 +604,14 @@ static int zr364xx_read_video_callback(struct zr364xx_camera *cam,
        ptr = pdest = frm->lpvbits;
 
        if (frm->ulState == ZR364XX_READ_IDLE) {
+               if (purb->actual_length < 128) {
+                       /* header incomplete */
+                       dev_info(&cam->udev->dev,
+                                "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
+                                __func__, purb->actual_length);
+                       return -EINVAL;
+               }
+
                frm->ulState = ZR364XX_READ_FRAME;
                frm->cur_size = 0;