media: ccs: Fix CCS static data parsing for large block sizes

commit 82b696750f0b60e7513082a10ad42786854f59f8 upstream. The length field of the CCS static data blocks was mishandled, leading to wrong interpretation of the length header for blocks that are 16 kiB in size. Such large blocks are very, very rare and so this wasn't found earlier. As the length is used as part of input validation, the issue has no security implications. Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library") Cc: stable@vger.kernel.org Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Sakari Ailus <sakari.ailus@linux.intel.com> 2024-12-03 10:10:23 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-02-17 10:05:34 +0100
commit: c85a33577c11acee82895242320af4cebe5b8ec6 (patch)
tree: c54a895fadb1005d6d90cd1af8057a520b1e9ff7
parent: ffb7e57e40c688dd2ecbff82aa3c359823e6083b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/i2c/ccs/ccs-data.c b/drivers/media/i2c/ccs/ccs-data.c
index c40d859166dd..2591dba51e17 100644
--- a/drivers/media/i2c/ccs/ccs-data.c
+++ b/drivers/media/i2c/ccs/ccs-data.c
@@ -98,7 +98,7 @@ ccs_data_parse_length_specifier(const struct __ccs_data_length_specifier *__len,
 		plen = ((size_t)
 			(__len3->length[0] &
 			 ((1 << CCS_DATA_LENGTH_SPECIFIER_SIZE_SHIFT) - 1))
-			<< 16) + (__len3->length[0] << 8) + __len3->length[1];
+			<< 16) + (__len3->length[1] << 8) + __len3->length[2];
 		break;
 	}
 	default:
author	Sakari Ailus <sakari.ailus@linux.intel.com>	2024-12-03 10:10:23 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-02-17 10:05:34 +0100
commit	c85a33577c11acee82895242320af4cebe5b8ec6 (patch)
tree	c54a895fadb1005d6d90cd1af8057a520b1e9ff7
parent	ffb7e57e40c688dd2ecbff82aa3c359823e6083b (diff)