From: Laurent Pinchart <laurent.pinchart@skynet.be>
Date: Fri, 4 Jul 2008 03:34:59 +0000 (-0300)
Subject: V4L/DVB (8207): uvcvideo: Fix a buffer overflow in format descriptor parsing
X-Git-Tag: v2.6.27-rc1~966^2~134
X-Git-Url: http://ftp.safe.ca/?a=commitdiff_plain;h=233548a2fd934a0220db8b1521c0bc88c82e5e53;p=safe%2Fjmp%2Flinux-2.6

V4L/DVB (8207): uvcvideo: Fix a buffer overflow in format descriptor parsing

Thanks to Oliver Neukum for catching and reporting this bug.

Signed-off-by: Laurent Pinchart <laurent.pinchart@skynet.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
---

diff --git a/drivers/media/video/uvc/uvc_driver.c b/drivers/media/video/uvc/uvc_driver.c
index 60ced58..86bb16d 100644
--- a/drivers/media/video/uvc/uvc_driver.c
+++ b/drivers/media/video/uvc/uvc_driver.c
@@ -298,7 +298,8 @@ static int uvc_parse_format(struct uvc_device *dev,
 	switch (buffer[2]) {
 	case VS_FORMAT_UNCOMPRESSED:
 	case VS_FORMAT_FRAME_BASED:
-		if (buflen < 27) {
+		n = buffer[2] == VS_FORMAT_UNCOMPRESSED ? 27 : 28;
+		if (buflen < n) {
 			uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming"
 			       "interface %d FORMAT error\n",
 			       dev->udev->devnum,