[PATCH 7/7] media: cedrus: validate HEVC slice reference lists
From: Pengpeng Hou
Date: Mon Mar 23 2026 - 03:09:14 EST
Cedrus consumes HEVC slice parameters directly from stateless V4L2
controls, but it does not validate the active reference counts or the
ref_idx_l0/ref_idx_l1 values before using them in fixed-size 16-entry
reference arrays. Oversized counts or indices can therefore walk past
the end of those arrays in the HEVC decode path.
Reject HEVC slice controls whose active reference counts or reference
indices exceed V4L2_HEVC_DPB_ENTRIES_NUM_MAX.
Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/staging/media/sunxi/cedrus/cedrus.c | 22 +++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
index 6600245dff0e..d68da1eaa7aa 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
@@ -77,6 +77,28 @@ static int cedrus_try_ctrl(struct v4l2_ctrl *ctrl)
ctx->bit_depth = bit_depth;
cedrus_reset_cap_format(ctx);
}
+ } else if (ctrl->id == V4L2_CID_STATELESS_HEVC_SLICE_PARAMS) {
+ const struct v4l2_ctrl_hevc_slice_params *slice = ctrl->p_new.p_hevc_slice_params;
+ unsigned int i;
+
+ if (slice->num_ref_idx_l0_active_minus1 >=
+ V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
+ return -EINVAL;
+
+ for (i = 0; i <= slice->num_ref_idx_l0_active_minus1; i++)
+ if (slice->ref_idx_l0[i] >= V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
+ return -EINVAL;
+
+ if (slice->slice_type == V4L2_HEVC_SLICE_TYPE_B) {
+ if (slice->num_ref_idx_l1_active_minus1 >=
+ V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
+ return -EINVAL;
+
+ for (i = 0; i <= slice->num_ref_idx_l1_active_minus1; i++)
+ if (slice->ref_idx_l1[i] >=
+ V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
+ return -EINVAL;
+ }
}
return 0;
--
2.50.1 (Apple Git-155)