diff options
| author | Kees Cook <keescook@chromium.org> | 2023-01-06 09:17:04 +0300 |
|---|---|---|
| committer | Laurent Pinchart <laurent.pinchart@ideasonboard.com> | 2023-01-16 00:45:15 +0300 |
| commit | b839212988575c701aab4d3d9ca15e44c87e383c (patch) | |
| tree | 6d1ef5ff49bc25feb5a4f9e7697c82f008942aa2 /drivers/media/usb | |
| parent | 136effa754b57632f99574fc4a3433e0cfc031d9 (diff) | |
| download | linux-b839212988575c701aab4d3d9ca15e44c87e383c.tar.xz | |
media: uvcvideo: Silence memcpy() run-time false positive warnings
The memcpy() in uvc_video_decode_meta() intentionally copies across the
length and flags members and into the trailing buf flexible array.
Split the copy so that the compiler can better reason about (the lack
of) buffer overflows here. Avoid the run-time false positive warning:
memcpy: detected field-spanning write (size 12) of single field "&meta->length" at drivers/media/usb/uvc/uvc_video.c:1355 (size 1)
Additionally fix a typo in the documentation for struct uvc_meta_buf.
Reported-by: ionut_n2001@yahoo.com
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216810
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Diffstat (limited to 'drivers/media/usb')
| -rw-r--r-- | drivers/media/usb/uvc/uvc_video.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index 98d34d20afe3..d4b023d4de7c 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -1356,7 +1356,9 @@ static void uvc_video_decode_meta(struct uvc_streaming *stream, if (has_scr) memcpy(stream->clock.last_scr, scr, 6); - memcpy(&meta->length, mem, length); + meta->length = mem[0]; + meta->flags = mem[1]; + memcpy(meta->buf, &mem[2], length - 2); meta_buf->bytesused += length + sizeof(meta->ns) + sizeof(meta->sof); uvc_dbg(stream->dev, FRAME, |