In preparation for FORTIFY_SOURCE performing run-time destination buffer
bounds checking for memcpy(), specify the destination output buffer
explicitly, instead of asking memcpy() to write past the end of what looked
like a fixed-size object.
Notice that raw_frame is a pointer to a structure that contains
flexible-array member rawframe[]:
drivers/media/usb/pwc/pwc.h:
190 struct pwc_raw_frame {
191 __le16 type; /* type of the webcam */
192 __le16 vbandlength; /* Size of 4 lines compressed (used by the
193 decompressor) */
194 __u8 cmd[4]; /* the four byte of the command (in case of
195 nala, only the first 3 bytes is filled) */
196 __u8 rawframe[]; /* frame_size = H / 4 * vbandlength */
197 } __packed;
Link: https://github.com/KSPP/linux/issues/200
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
* first 3 bytes is filled (Nala case). We can
* determine this using the type of the webcam */
memcpy(raw_frame->cmd, pdev->cmd_buf, 4);
- memcpy(raw_frame+1, yuv, pdev->frame_size);
+ memcpy(raw_frame->rawframe, yuv, pdev->frame_size);
vb2_set_plane_payload(&fbuf->vb.vb2_buf, 0,
struct_size(raw_frame, rawframe, pdev->frame_size));
return 0;