This is an automatic generated email to let you know that the following patch were queued:
Subject: media: vicodec: fix memchr() kernel oops Author: Hans Verkuil hverkuil@xs4all.nl Date: Sat Nov 17 06:25:08 2018 -0500
The size passed to memchr is too large as it assumes the search starts at the start of the buffer, but it can start at an offset.
Cc: stable@vger.kernel.org # for v4.19 and up Signed-off-by: Hans Verkuil hverkuil@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab+samsung@kernel.org
drivers/media/platform/vicodec/vicodec-core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
---
diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c index b292cff26c86..013cdebecbc4 100644 --- a/drivers/media/platform/vicodec/vicodec-core.c +++ b/drivers/media/platform/vicodec/vicodec-core.c @@ -304,7 +304,8 @@ restart: for (; p < p_out + sz; p++) { u32 copy;
- p = memchr(p, magic[ctx->comp_magic_cnt], sz); + p = memchr(p, magic[ctx->comp_magic_cnt], + p_out + sz - p); if (!p) { ctx->comp_magic_cnt = 0; break;