[git:v4l-utils/master] edid-decode: fix infoframe DB parsing regression

Fri, 21 Feb 2025 02:20:23 -0800 

This is an automatic generated email to let you know that the following patch 
were queued at the 
http://git.linuxtv.org/cgit.cgi/v4l-utils.git tree:

Subject: edid-decode: fix infoframe DB parsing regression
Author:  Hans Verkuil <hverk...@xs4all.nl>
Date:    Fri Feb 21 00:38:14 2025 +0100

Patch "edid-decode: fix buffer overread in infoframe parsing"
assumed that payload length 0 is illegal, but in fact it is
always 0.

Fixes: 8eb50ff1a393 ("edid-decode: fix buffer overread in infoframe parsing")
Signed-off-by: Hans Verkuil <hverk...@xs4all.nl>

 utils/edid-decode/parse-cta-block.cpp | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

---

http://git.linuxtv.org/cgit.cgi/v4l-utils.git/commit/?id=94a1036b8902c9b364bccad9df87ebcaccef41a7
diff --git a/utils/edid-decode/parse-cta-block.cpp 
b/utils/edid-decode/parse-cta-block.cpp
index b7464611c60f..451ea1f42896 100644
--- a/utils/edid-decode/parse-cta-block.cpp
+++ b/utils/edid-decode/parse-cta-block.cpp
@@ -2423,6 +2423,8 @@ static void cta_ifdb(const unsigned char *x, unsigned 
length)
                fail("Empty Data Block with length %u.\n", length);
                return;
        }
+       if (x[0] & 0x1f)
+               fail("Bits F14-F10 are 0x%02x instead of 0x00.\n", x[0] & 0x1f);
        printf("    VSIFs: %u\n", x[1]);
        if (length < len_hdr + 2)
                return;
@@ -2432,12 +2434,8 @@ static void cta_ifdb(const unsigned char *x, unsigned 
length)
                unsigned payload_len = x[0] >> 5;
                unsigned char type = x[0] & 0x1f;
 
-               if (payload_len > length) {
-                       fail("Payload size %u exceeds remaining block size 
(%u).\n", payload_len, length);
-                       break;
-               }
-               if (payload_len == 0) {
-                       fail("Payload has 0 size.\n");
+               if (payload_len) {
+                       fail("Payload size must be 0, but it is %u.\n", 
payload_len);
                        break;
                }
 
@@ -2448,7 +2446,12 @@ static void cta_ifdb(const unsigned char *x, unsigned 
length)
                        name = "Unknown";
                printf("    %s InfoFrame (%u)", name, type);
 
-               if (type == 1 && length >= 4) {
+               if (type == 1) {
+                       if (length < 4) {
+                               fail("Remaining length %u < 4.\n");
+                               break;
+                       }
+
                        unsigned oui = (x[3] << 16) | (x[2] << 8) | x[1];
 
                        printf(", OUI %s\n", ouitohex(oui).c_str());
@@ -2459,10 +2462,6 @@ static void cta_ifdb(const unsigned char *x, unsigned 
length)
                        x++;
                        length--;
                }
-               if (length == 0)
-                       break;
-               x += payload_len;
-               length -= payload_len;
        }
 }

Reply via email to