]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
media: v4l2-ctrls: validate HEVC active reference counts
authorPengpeng Hou <pengpeng@iscas.ac.cn>
Tue, 24 Mar 2026 03:13:26 +0000 (11:13 +0800)
committerHans Verkuil <hverkuil+cisco@kernel.org>
Mon, 4 May 2026 06:35:14 +0000 (08:35 +0200)
commitafbe4bc252d90a6f8fad869b06d5430f615f22f9
tree15331f76d56976d30295b0a279b713bd2f16e83b
parent05ec592de0dd984b3c639f8e7dec9441b5bcf83b
media: v4l2-ctrls: validate HEVC active reference counts

HEVC slice parameters are shared stateless V4L2 controls, but the common
validation path does not verify the active L0/L1 reference counts before
driver-specific code consumes them.

The original report came from Cedrus, but the active count bounds are
not Cedrus-specific. Validate them in the common HEVC slice control path
so stateless HEVC drivers get the same basic guarantees as soon as the
control is queued.

Do not reject ref_idx_l0/ref_idx_l1 entries here. Existing userspace may
use out-of-range sentinel values such as 0xff for missing references, and
some hardware can use that information for concealment. Keep this common
check limited to the active reference counts.

Fixes: d395a78db9eab ("media: hevc: Add decode params control")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
drivers/media/v4l2-core/v4l2-ctrls-core.c