From 1a4365c04319aa68fc0bf95e1e556cbd077e3559 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Wed, 12 Feb 2025 11:42:34 -0500 Subject: [PATCH] media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format jira VULN-9663 cve CVE-2024-53104 commit-author Benoit Sevens commit ecf2b43018da9579842c774b7f35dbe11b5c38dd This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming. Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") Signed-off-by: Benoit Sevens Cc: stable@vger.kernel.org Acked-by: Greg Kroah-Hartman Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil (cherry picked from commit ecf2b43018da9579842c774b7f35dbe11b5c38dd) Signed-off-by: Brett Mastbergen --- drivers/media/usb/uvc/uvc_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 512dddf0d43d5..81d522f3de6ff 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -646,7 +646,7 @@ static int uvc_parse_format(struct uvc_device *dev, /* Parse the frame descriptors. Only uncompressed, MJPEG and frame * based formats have frame descriptors. */ - while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && + while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && buffer[2] == ftype) { frame = &format->frame[format->nframes]; if (ftype != UVC_VS_FRAME_FRAME_BASED)