This is an automatic generated email to let you know that the following patch were queued at the http://git.linuxtv.org/cgit.cgi/v4l-utils.git tree:
Subject: edid-decode: fix buffer overread in infoframe parsing Author: Maciej Miszczyk <mmiszc...@logitech.com> Date: Fri Dec 13 13:22:43 2024 +0100 Fix buffer overread in infoframe parsing. Signed-off-by: Maciej Miszczyk <mmiszc...@logitech.com> Signed-off-by: Hans Verkuil <hverk...@xs4all.nl> utils/edid-decode/parse-cta-block.cpp | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) --- http://git.linuxtv.org/cgit.cgi/v4l-utils.git/commit/?id=8eb50ff1a393b0818b1c5609a64b14c5f215fea7 diff --git a/utils/edid-decode/parse-cta-block.cpp b/utils/edid-decode/parse-cta-block.cpp index ce47be713527..c7e0b9da9a50 100644 --- a/utils/edid-decode/parse-cta-block.cpp +++ b/utils/edid-decode/parse-cta-block.cpp @@ -2429,9 +2429,18 @@ static void cta_ifdb(const unsigned char *x, unsigned length) length -= len_hdr + 2; x += len_hdr + 2; while (length > 0) { - int payload_len = x[0] >> 5; + unsigned payload_len = x[0] >> 5; unsigned char type = x[0] & 0x1f; + if (payload_len > length) { + fail("Payload size %u exceeds remaining block size (%u).\n", payload_len, length); + break; + } + if (payload_len == 0) { + fail("Payload has 0 size.\n"); + break; + } + const char *name = NULL; if (type < ARRAY_SIZE(infoframe_types)) name = infoframe_types[type]; @@ -2450,6 +2459,8 @@ static void cta_ifdb(const unsigned char *x, unsigned length) x++; length--; } + if (length == 0) + break; x += payload_len; length -= payload_len; }
