From a0f36d59b751fb7fb0e9dd14b0ae46df8c5c526c Mon Sep 17 00:00:00 2001 From: Brett Witherspoon Date: Sun, 11 Aug 2024 20:01:21 -0400 Subject: [PATCH] drivers: video: video_stm32_dcmi: Prevent out of bounds memory access The frame event callback unconditionally copies into the enqueued video buffer. The driver only supports fixed length frames, so reject enqueued buffers that are not large enough to prevent invalid memory access. Signed-off-by: Brett Witherspoon --- drivers/video/video_stm32_dcmi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/video/video_stm32_dcmi.c b/drivers/video/video_stm32_dcmi.c index d8f875b7673..5a9ee286271 100644 --- a/drivers/video/video_stm32_dcmi.c +++ b/drivers/video/video_stm32_dcmi.c @@ -308,12 +308,17 @@ static int video_stm32_dcmi_enqueue(const struct device *dev, struct video_buffer *vbuf) { struct video_stm32_dcmi_data *data = dev->data; + const uint32_t buffer_size = data->pitch * data->height; if (ep != VIDEO_EP_OUT) { return -EINVAL; } - vbuf->bytesused = data->pitch * data->height; + if (buffer_size > vbuf->size) { + return -EINVAL; + } + + vbuf->bytesused = buffer_size; k_fifo_put(&data->fifo_in, vbuf);