Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/usb uvideo(4): Fix lengths of various frame descript...



details:   https://anonhg.NetBSD.org/src/rev/d06e51e3001b
branches:  trunk
changeset: 366102:d06e51e3001b
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sat May 14 15:28:59 2022 +0000

description:
uvideo(4): Fix lengths of various frame descriptors.

This driver doesn't use the frame interval members, which are either
fixed (if continuous) or flexible (if discrete) and so can't be
encoded in C types correctly.  If we did use them, it would be
necessary to use pointer arithmetic on char pointers in the enclosing
descriptor buffer.  But we don't, so this is simpler, and fixes the
sizeof checks to avoid running off the end of invalid descriptors.

Should fix failure to parse legitimate descriptors (without
regressing to choking on malicious ones):

-uvideo: found format (index 1) type 9 size 1280x720 size 1843200 stride 2560 interval 333333
- ^ picking this one
-uvideo: found format (index 2) type 9 size 640x480 size 614400 stride 1280 interval 333333
+uvideo: truncated CS subtype-0x7 descriptor, length 30 < 38uvideo: unimplemented VS CS descriptor len=30 type=0x24 subtype=0x07
+uvideo: unimplemented VS CS descriptor len=30 type=0x24 subtype=0x07

diffstat:

 sys/dev/usb/uvideoreg.h |  11 ++++-------
 1 files changed, 4 insertions(+), 7 deletions(-)

diffs (42 lines):

diff -r 5d1c08f26faa -r d06e51e3001b sys/dev/usb/uvideoreg.h
--- a/sys/dev/usb/uvideoreg.h   Sat May 14 15:28:50 2022 +0000
+++ b/sys/dev/usb/uvideoreg.h   Sat May 14 15:28:59 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uvideoreg.h,v 1.6 2021/11/14 08:32:07 andvar Exp $     */
+/*     $NetBSD: uvideoreg.h,v 1.7 2022/05/14 15:28:59 riastradh Exp $  */
 
 /*
  * Copyright (c) 2008 Patrick Mahoney
@@ -435,9 +435,8 @@
        uDWord          dwMaxVideoFrameBufferSize;
        uDWord          dwDefaultFrameInterval;
        uByte           bFrameIntervalType;
-       uvideo_frame_interval_t uFrameInterval;
 } UPACKED uvideo_vs_frame_uncompressed_descriptor_t;
-
+CTASSERT(sizeof(uvideo_vs_frame_uncompressed_descriptor_t) == 26);
 
 /* Frame based Format and Frame descriptors.  This is for generic
  * frame based payloads not covered by other types (e.g, uncompressed
@@ -471,9 +470,8 @@
        uDWord          dwDefaultFrameInterval;
        uByte           bFrameIntervalType;
        uDWord          dwBytesPerLine;
-       uvideo_frame_interval_t uFrameInterval;
 } UPACKED uvideo_frame_frame_based_descriptor_t;
-
+CTASSERT(sizeof(uvideo_frame_frame_based_descriptor_t) == 26);
 
 /* MJPEG format and frame descriptors */
 
@@ -506,9 +504,8 @@
        uDWord          dwMaxVideoFrameBufferSize;
        uDWord          dwDefaultFrameInterval;
        uByte           bFrameIntervalType;
-       uvideo_frame_interval_t uFrameInterval;
 } UPACKED uvideo_vs_frame_mjpeg_descriptor_t;
-
+CTASSERT(sizeof(uvideo_vs_frame_mjpeg_descriptor_t) == 26);
 
 typedef struct {
        uByte           bLength;



Home | Main Index | Thread Index | Old Index