提交 663bfc44 编写于 作者: H Hans Verkuil 提交者: Greg Kroah-Hartman

media: vicodec: fix memchr() kernel oops

commit cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e upstream.

The size passed to memchr is too large as it assumes the search
starts at the start of the buffer, but it can start at an offset.

Cc: <stable@vger.kernel.org>      # for v4.19 and up
Signed-off-by: NHans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
上级 c4dabf37
...@@ -438,7 +438,8 @@ static int job_ready(void *priv) ...@@ -438,7 +438,8 @@ static int job_ready(void *priv)
for (; p < p_out + sz; p++) { for (; p < p_out + sz; p++) {
u32 copy; u32 copy;
p = memchr(p, magic[ctx->comp_magic_cnt], sz); p = memchr(p, magic[ctx->comp_magic_cnt],
p_out + sz - p);
if (!p) { if (!p) {
ctx->comp_magic_cnt = 0; ctx->comp_magic_cnt = 0;
break; break;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册