On Tue Dec 3 10:10:23 2024 +0200, Sakari Ailus wrote:
> The length field of the CCS static data blocks was mishandled, leading to
> wrong interpretation of the length header for blocks that are 16 kiB in
> size. Such large blocks are very, very rare and so this wasn't found
> earlier.
>
> As the length is used as part of input validation, the issue has no
> security implications.
>
> Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library")
> Cc: [email protected]
> Signed-off-by: Sakari Ailus <[email protected]>
> Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Patch committed.
Thanks,
Mauro Carvalho Chehab
drivers/media/i2c/ccs/ccs-data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/drivers/media/i2c/ccs/ccs-data.c b/drivers/media/i2c/ccs/ccs-data.c
index 08400edf77ce..9d42137f4799 100644
--- a/drivers/media/i2c/ccs/ccs-data.c
+++ b/drivers/media/i2c/ccs/ccs-data.c
@@ -97,7 +97,7 @@ ccs_data_parse_length_specifier(const struct
__ccs_data_length_specifier *__len,
plen = ((size_t)
(__len3->length[0] &
((1 << CCS_DATA_LENGTH_SPECIFIER_SIZE_SHIFT) - 1))
- << 16) + (__len3->length[0] << 8) + __len3->length[1];
+ << 16) + (__len3->length[1] << 8) + __len3->length[2];
break;
}
default:
