media: ccs: Fix CCS static data parsing for large block sizes

The length field of the CCS static data blocks was mishandled, leading to wrong interpretation of the length header for blocks that are 16 kiB in size. Such large blocks are very, very rare and so this wasn't found earlier. As the length is used as part of input validation, the issue has no security implications. Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library") Cc: stable@vger.kernel.org Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
author: Sakari Ailus <sakari.ailus@linux.intel.com> 2024-12-03 10:10:23 +0200
committer: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2024-12-19 12:50:13 +0100
commit: 82b696750f0b60e7513082a10ad42786854f59f8 (patch)
tree: a6cc0a749eb65d3fabb58f1d54c8862ee63f7423
parent: 11f68d2ba2e1521a608af773bf788e8cfa260f68 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/i2c/ccs/ccs-data.c b/drivers/media/i2c/ccs/ccs-data.c
index 08400edf77ce..9d42137f4799 100644
--- a/drivers/media/i2c/ccs/ccs-data.c
+++ b/drivers/media/i2c/ccs/ccs-data.c
@@ -97,7 +97,7 @@ ccs_data_parse_length_specifier(const struct __ccs_data_length_specifier *__len,
 		plen = ((size_t)
 			(__len3->length[0] &
 			 ((1 << CCS_DATA_LENGTH_SPECIFIER_SIZE_SHIFT) - 1))
-			<< 16) + (__len3->length[0] << 8) + __len3->length[1];
+			<< 16) + (__len3->length[1] << 8) + __len3->length[2];
 		break;
 	}
 	default:
author	Sakari Ailus <sakari.ailus@linux.intel.com>	2024-12-03 10:10:23 +0200
committer	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>	2024-12-19 12:50:13 +0100
commit	82b696750f0b60e7513082a10ad42786854f59f8 (patch)
tree	a6cc0a749eb65d3fabb58f1d54c8862ee63f7423
parent	11f68d2ba2e1521a608af773bf788e8cfa260f68 (diff)