Re: [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS

From: Andy Shevchenko

Date: Mon Jun 29 2026 - 03:59:46 EST


On Fri, Jun 26, 2026 at 06:40:41PM +0200, Doruk Tan Ozturk wrote:
> atomisp_v4l2_framebuffer_to_css_frame() allocates the CSS frame
> (res->data) from arg->fmt.{width,height,format} but then
> hmm_store()s arg->fmt.sizeimage bytes into it. sizeimage is an
> independent user-controlled v4l2_pix_format field with no cross-check, so
> a sizeimage larger than the allocated frame overflows res->data (ISP/hmm
> memory). Reject sizeimage > res->data_bytes before the store.
>
> Found by static analysis; not yet runtime-reproduced (Intel Atom ISP
> hardware required).

> Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).

Is it AI-based / backed? In such a case you may use Assisted-by tag.

--
With Best Regards,
Andy Shevchenko