* [PATCH 7/7] media: cedrus: validate HEVC slice reference lists
@ 2026-03-23 7:03 Pengpeng Hou
2026-03-23 8:04 ` Jernej Škrabec
2026-03-23 8:30 ` Pengpeng Hou
0 siblings, 2 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-03-23 7:03 UTC (permalink / raw)
To: mripard
Cc: paulk, mchehab, gregkh, wens, jernej.skrabec, samuel, linux-media,
linux-staging, linux-arm-kernel, linux-sunxi, linux-kernel,
pengpeng
Cedrus consumes HEVC slice parameters directly from stateless V4L2
controls, but it does not validate the active reference counts or the
ref_idx_l0/ref_idx_l1 values before using them in fixed-size 16-entry
reference arrays. Oversized counts or indices can therefore walk past
the end of those arrays in the HEVC decode path.
Reject HEVC slice controls whose active reference counts or reference
indices exceed V4L2_HEVC_DPB_ENTRIES_NUM_MAX.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
drivers/staging/media/sunxi/cedrus/cedrus.c | 22 +++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
index 6600245dff0e..d68da1eaa7aa 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
@@ -77,6 +77,28 @@ static int cedrus_try_ctrl(struct v4l2_ctrl *ctrl)
ctx->bit_depth = bit_depth;
cedrus_reset_cap_format(ctx);
}
+ } else if (ctrl->id == V4L2_CID_STATELESS_HEVC_SLICE_PARAMS) {
+ const struct v4l2_ctrl_hevc_slice_params *slice = ctrl->p_new.p_hevc_slice_params;
+ unsigned int i;
+
+ if (slice->num_ref_idx_l0_active_minus1 >=
+ V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
+ return -EINVAL;
+
+ for (i = 0; i <= slice->num_ref_idx_l0_active_minus1; i++)
+ if (slice->ref_idx_l0[i] >= V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
+ return -EINVAL;
+
+ if (slice->slice_type == V4L2_HEVC_SLICE_TYPE_B) {
+ if (slice->num_ref_idx_l1_active_minus1 >=
+ V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
+ return -EINVAL;
+
+ for (i = 0; i <= slice->num_ref_idx_l1_active_minus1; i++)
+ if (slice->ref_idx_l1[i] >=
+ V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
+ return -EINVAL;
+ }
}
return 0;
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH 7/7] media: cedrus: validate HEVC slice reference lists
2026-03-23 7:03 [PATCH 7/7] media: cedrus: validate HEVC slice reference lists Pengpeng Hou
@ 2026-03-23 8:04 ` Jernej Škrabec
2026-03-23 8:30 ` Pengpeng Hou
1 sibling, 0 replies; 3+ messages in thread
From: Jernej Škrabec @ 2026-03-23 8:04 UTC (permalink / raw)
To: mripard, Pengpeng Hou
Cc: paulk, mchehab, gregkh, wens, samuel, linux-media, linux-staging,
linux-arm-kernel, linux-sunxi, linux-kernel, pengpeng
Dne ponedeljek, 23. marec 2026 ob 08:03:14 Srednjeevropski standardni čas je Pengpeng Hou napisal(a):
> Cedrus consumes HEVC slice parameters directly from stateless V4L2
> controls, but it does not validate the active reference counts or the
> ref_idx_l0/ref_idx_l1 values before using them in fixed-size 16-entry
> reference arrays. Oversized counts or indices can therefore walk past
> the end of those arrays in the HEVC decode path.
>
> Reject HEVC slice controls whose active reference counts or reference
> indices exceed V4L2_HEVC_DPB_ENTRIES_NUM_MAX.
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
There is nothing Cedrus specific here. Why not move it to common code?
Best regards,
Jernej
> ---
> drivers/staging/media/sunxi/cedrus/cedrus.c | 22 +++++++++++++++++++++
> 1 file changed, 22 insertions(+)
>
> diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
> index 6600245dff0e..d68da1eaa7aa 100644
> --- a/drivers/staging/media/sunxi/cedrus/cedrus.c
> +++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
> @@ -77,6 +77,28 @@ static int cedrus_try_ctrl(struct v4l2_ctrl *ctrl)
> ctx->bit_depth = bit_depth;
> cedrus_reset_cap_format(ctx);
> }
> + } else if (ctrl->id == V4L2_CID_STATELESS_HEVC_SLICE_PARAMS) {
> + const struct v4l2_ctrl_hevc_slice_params *slice = ctrl->p_new.p_hevc_slice_params;
> + unsigned int i;
> +
> + if (slice->num_ref_idx_l0_active_minus1 >=
> + V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> + return -EINVAL;
> +
> + for (i = 0; i <= slice->num_ref_idx_l0_active_minus1; i++)
> + if (slice->ref_idx_l0[i] >= V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> + return -EINVAL;
> +
> + if (slice->slice_type == V4L2_HEVC_SLICE_TYPE_B) {
> + if (slice->num_ref_idx_l1_active_minus1 >=
> + V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> + return -EINVAL;
> +
> + for (i = 0; i <= slice->num_ref_idx_l1_active_minus1; i++)
> + if (slice->ref_idx_l1[i] >=
> + V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> + return -EINVAL;
> + }
> }
>
> return 0;
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH 7/7] media: cedrus: validate HEVC slice reference lists
2026-03-23 7:03 [PATCH 7/7] media: cedrus: validate HEVC slice reference lists Pengpeng Hou
2026-03-23 8:04 ` Jernej Škrabec
@ 2026-03-23 8:30 ` Pengpeng Hou
1 sibling, 0 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-03-23 8:30 UTC (permalink / raw)
To: jernej.skrabec
Cc: mripard, paulk, mchehab, gregkh, wens, samuel, linux-media,
linux-staging, linux-arm-kernel, linux-sunxi, linux-kernel,
pengpeng
Hi Jernej,
Thanks, that makes sense.
You're right, this is not really Cedrus-specific. The missing validation
belongs in the common HEVC slice control path, so I'll respin it there
instead of keeping it in the Cedrus driver.
Thanks for pointing that out.
Best regards,
Pengpeng
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-23 8:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 7:03 [PATCH 7/7] media: cedrus: validate HEVC slice reference lists Pengpeng Hou
2026-03-23 8:04 ` Jernej Škrabec
2026-03-23 8:30 ` Pengpeng Hou
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox