From: Jay Fenlason <fenlason@redhat.com>
Date: Mon, 10 Nov 2008 16:06:13 -0500
Subject: [video] uvc: buf overflow in format descriptor parsing
Message-id: 20081110210613.GA31653@redhat.com
O-Subject: [PATCH RHEL 5.3] bz#470427 CVE-2008-3496 kernel: uvcvideo: Fix a buffer overflow in format descriptor parsing [rhel-5.3]
Bugzilla: 470427
CVE: CVE-2008-3496
uvc_driver.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/video/uvc/uvc_driver.c b/drivers/media/video/uvc/uvc_driver.c
index 9fffdd1..3e1d91b 100644
--- a/drivers/media/video/uvc/uvc_driver.c
+++ b/drivers/media/video/uvc/uvc_driver.c
@@ -298,7 +298,8 @@ static int uvc_parse_format(struct uvc_device *dev,
switch (buffer[2]) {
case VS_FORMAT_UNCOMPRESSED:
case VS_FORMAT_FRAME_BASED:
- if (buflen < 27) {
+ n = buffer[2] == VS_FORMAT_UNCOMPRESSED ? 27 : 28;
+ if (buflen < n) {
uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming"
"interface %d FORMAT error\n",
dev->udev->devnum,
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
89877e42827f16fa5f86b1df0c2860b1
>
files
>
2380
