media: vicodec: fix memchr() kernel oops

The size passed to memchr is too large as it assumes the search starts at the start of the buffer, but it can start at an offset. Cc: <stable@vger.kernel.org> # for v4.19 and up Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
author: Hans Verkuil <hverkuil@xs4all.nl> 2018-11-17 12:25:08 +0100
committer: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> 2018-11-20 18:53:36 +0100
commit: cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e (patch)
tree: 987ee0eccbd2b7cb8435c7527344e81d9d4b38b1 /drivers
parent: media: cedrus: add action item to the TODO (diff)
download: linux-cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e.tar.xz
linux-cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
index b292cff26c86..013cdebecbc4 100644
--- a/drivers/media/platform/vicodec/vicodec-core.c
+++ b/drivers/media/platform/vicodec/vicodec-core.c
@@ -304,7 +304,8 @@ restart:
 		for (; p < p_out + sz; p++) {
 			u32 copy;
 
-			p = memchr(p, magic[ctx->comp_magic_cnt], sz);
+			p = memchr(p, magic[ctx->comp_magic_cnt],
+				   p_out + sz - p);
 			if (!p) {
 				ctx->comp_magic_cnt = 0;
 				break;
author	Hans Verkuil <hverkuil@xs4all.nl>	2018-11-17 12:25:08 +0100
committer	Mauro Carvalho Chehab <mchehab+samsung@kernel.org>	2018-11-20 18:53:36 +0100
commit	cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e (patch)
tree	987ee0eccbd2b7cb8435c7527344e81d9d4b38b1 /drivers
parent	media: cedrus: add action item to the TODO (diff)
download	linux-cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e.tar.xz linux-cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e.zip