Re: [PATCH v2] media: v4l2-ctrls: validate HEVC slice reference lists

From: Nicolas Dufresne

Date: Mon Mar 23 2026 - 09:49:10 EST

Le lundi 23 mars 2026 à 16:30 +0800, Pengpeng Hou a écrit :
> HEVC slice parameters are shared stateless V4L2 controls, but the common
> control validation path currently does not verify the active reference
> counts or the ref_idx_l0/ref_idx_l1 entries before driver-specific code
> uses them to index fixed 16-entry DPB arrays.
>
> The original report was triggered by Cedrus, but the missing validation
> is not Cedrus-specific. Move the bounds checks into the common HEVC slice
> control validation path so every stateless HEVC driver gets the same
> basic guarantees as soon as the control is queued.
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> v2:
> - move the validation from Cedrus-specific try_ctrl() into
>   drivers/media/v4l2-core/v4l2-ctrls-core.c
> - keep the checks limited to HEVC slice reference counts and indices
>
>  drivers/media/v4l2-core/v4l2-ctrls-core.c | 24 +++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
>
> diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c
> index 6b375720e395..4e7563c8bf4a 100644
> --- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
> +++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
> @@ -1260,6 +1260,30 @@ static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx,
>   break;
>  
>   case V4L2_CTRL_TYPE_HEVC_SLICE_PARAMS:
> + p_hevc_slice_params = p;
> +
> + if (p_hevc_slice_params->num_ref_idx_l0_active_minus1 >=
> +     V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> + return -EINVAL;

Ack.

> +
> + for (i = 0; i <= p_hevc_slice_params->num_ref_idx_l0_active_minus1;
> +      i++)
> + if (p_hevc_slice_params->ref_idx_l0[i] >=
> +     V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> + return -EINVAL;

That one is a breaking change since userspace already passes off limit values
such as 0xff when a reference is missing (was lost). See:

47825b1646a6a9eca0f90baa3d4f98947c2add96

The hardware may or may not be capable of doing concealment, but with this
change, we bring down all drivers to failing the decode completely.

> +
> + if (p_hevc_slice_params->slice_type != V4L2_HEVC_SLICE_TYPE_B)
> + break;
> +
> + if (p_hevc_slice_params->num_ref_idx_l1_active_minus1 >=
> +     V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> + return -EINVAL;

Ack.

> +
> + for (i = 0; i <= p_hevc_slice_params->num_ref_idx_l1_active_minus1;
> +      i++)
> + if (p_hevc_slice_params->ref_idx_l1[i] >=
> +     V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> + return -EINVAL;

Same.

cheers,
Nicolas

>   break;
>  
>   case V4L2_CTRL_TYPE_HEVC_EXT_SPS_ST_RPS:

Attachment: signature.asc
Description: This is a digitally signed message part