media: vicodec: fix memchr() kernel oops

commit cb3b2ffb757e75fef40fb94bc093cbbf49a6bf6e upstream. The size passed to memchr is too large as it assumes the search starts at the start of the buffer, but it can start at an offset. Cc: <stable@vger.kernel.org> # for v4.19 and up Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pierre2324 · Dec 13, 2018 · 663bfc4 · 663bfc4
1 parent c4dabf3
commit 663bfc4
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
@@ -438,7 +438,8 @@ static int job_ready(void *priv)
 		for (; p < p_out + sz; p++) {
 			u32 copy;
 
-			p = memchr(p, magic[ctx->comp_magic_cnt], sz);
+			p = memchr(p, magic[ctx->comp_magic_cnt],
+				   p_out + sz - p);
 			if (!p) {
 				ctx->comp_magic_cnt = 0;
 				break;