media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream. This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming. Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") Signed-off-by: Benoit Sevens <bsevens@google.com> Cc: stable@vger.kernel.org Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Benoit Sevens <bsevens@google.com> 2024-11-07 14:22:02 +0000
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-11-22 15:30:26 +0100
commit: 1ee9d9122801eb688783acd07791f2906b87cb4f (patch)
tree: 18f7cfd5ce3d206907b1162e3aa6c776e8b5495c
parent: 8621725afb38e111969c64280b71480afde2aace (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index 0fac689c6350..13db0026dc1a 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -371,7 +371,7 @@ static int uvc_parse_format(struct uvc_device *dev,
 	 * Parse the frame descriptors. Only uncompressed, MJPEG and frame
 	 * based formats have frame descriptors.
 	 */
-	while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
+	while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
 	       buffer[2] == ftype) {
 		unsigned int maxIntervalIndex;
author	Benoit Sevens <bsevens@google.com>	2024-11-07 14:22:02 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-11-22 15:30:26 +0100
commit	1ee9d9122801eb688783acd07791f2906b87cb4f (patch)
tree	18f7cfd5ce3d206907b1162e3aa6c776e8b5495c
parent	8621725afb38e111969c64280b71480afde2aace (diff)