media: vicodec: fix memchr() kernel oops

commit cb3b2ffb upstream. The size passed to memchr is too large as it assumes the search starts at the start of the buffer, but it can start at an offset. Cc: <stable@vger.kernel.org> # for v4.19 and up Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: vicodec: fix memchr() kernel oops
commit cb3b2ffb upstream. The size passed to memchr is too large as it assumes the search starts at the start of the buffer, but it can start at an offset. Cc: <stable@vger.kernel.org> # for v4.19 and up Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
663bfc44 · Hans Verkuil · Greg Kroah-Hartman · c4dabf37 · 663bfc44
Commit 663bfc44 authored Nov 17, 2018 by Hans Verkuil Committed by Greg Kroah-Hartman Dec 13, 2018
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/media/platform/vicodec/vicodec-core.c drivers/media/platform/vicodec/vicodec-core.c +2 -1

No files found.
--- a/drivers/media/platform/vicodec/vicodec-core.c
+++ b/drivers/media/platform/vicodec/vicodec-core.c
@@ -438,7 +438,8 @@ static int job_ready(void *priv)
 		for (; p < p_out + sz; p++) {
 			u32 copy;

-			p = memchr(p, magic[ctx->comp_magic_cnt], sz);
+			p = memchr(p, magic[ctx->comp_magic_cnt],
+				   p_out + sz - p);
 			if (!p) {
 				ctx->comp_magic_cnt = 0;
 				break;