[PATCH] media: vicodec: fix out-of-bounds write on capture buffer
From: Junrui Luo
Date: Mon Jun 01 2026 - 08:38:22 EST
The vicodec stateful decoder handles its first resolution change in
vicodec_buf_queue(), which calls update_capture_data_from_header() to
set q_dst->sizeimage to the new, possibly larger, format. Unlike a
subsequent change in job_ready(), it does not set ctx->source_changed,
so the m2m scheduler still runs a job. buf_prepare() validates queued
CAPTURE buffers against q_dst->vb2_sizeimage.
A CAPTURE buffer allocated before the source change still passes
buf_prepare(), and device_process() then decodes q_dst->sizeimage bytes
into it with no clamp to the buffer's actual size, leading to a
controlled-content out-of-bounds write past the vmalloc-backed capture
buffer.
Guard the write at the decode site in device_process() against
q_dst->sizeimage, the number of bytes the decode actually writes. The
destination buffer is completed with VB2_BUF_STATE_ERROR by the existing
device_run() error path.
Fixes: 3b15f68e19c2 ("media: vicodec: Add support for resolution change event.")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/media/test-drivers/vicodec/vicodec-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/test-drivers/vicodec/vicodec-core.c b/drivers/media/test-drivers/vicodec/vicodec-core.c
index 318e8330f16a..2950d42c8c63 100644
--- a/drivers/media/test-drivers/vicodec/vicodec-core.c
+++ b/drivers/media/test-drivers/vicodec/vicodec-core.c
@@ -321,6 +321,8 @@ static int device_process(struct vicodec_ctx *ctx,
q_dst = get_q_data(ctx, V4L2_BUF_TYPE_VIDEO_CAPTURE);
if (comp_frame_size > ctx->comp_max_size)
return -EINVAL;
+ if (vb2_plane_size(&dst_vb->vb2_buf, 0) < q_dst->sizeimage)
+ return -EINVAL;
state->info = q_dst->info;
ret = v4l2_fwht_decode(state, p_src, p_dst);
if (ret < 0)
---
base-commit: e43ffb69e0438cddd72aaa30898b4dc446f664f8
change-id: 20260601-fixes-452ce98d76d8
Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>