media: ccs: Fix CCS static data parsing for large block sizes

commit 82b696750f0b60e7513082a10ad42786854f59f8 upstream.

The length field of the CCS static data blocks was mishandled, leading to
wrong interpretation of the length header for blocks that are 16 kiB in
size. Such large blocks are very, very rare and so this wasn't found
earlier.

As the length is used as part of input validation, the issue has no
security implications.

Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/media/i2c/ccs/ccs-data.c b/drivers/media/i2c/ccs/ccs-data.c
index c40d859166dd12f0435cc81e6b1183420d733807..2591dba51e17e28b7fffbd9162570887b6f61e6a 100644 (file)
--- a/drivers/media/i2c/ccs/ccs-data.c
+++ b/drivers/media/i2c/ccs/ccs-data.c
@@ -98,7 +98,7 @@ ccs_data_parse_length_specifier(const struct __ccs_data_length_specifier *__len,
                plen = ((size_t)
                        (__len3->length[0] &
                         ((1 << CCS_DATA_LENGTH_SPECIFIER_SIZE_SHIFT) - 1))
-                       << 16) + (__len3->length[0] << 8) + __len3->length[1];
+                       << 16) + (__len3->length[1] << 8) + __len3->length[2];
                break;
        }
        default: