[PATCH] media: s2255: validate firmware trailer size

From: Pengpeng Hou

Date: Tue Jun 30 2026 - 03:26:23 EST


s2255_probe() reads the marker and version from the last eight bytes of
the firmware image. A shorter image makes those trailer reads
underflow.

Reject firmware images shorter than the required trailer before reading
it.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/media/usb/s2255/s2255drv.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c
index 0b8182e..b19f541 100644
--- a/drivers/media/usb/s2255/s2255drv.c
+++ b/drivers/media/usb/s2255/s2255drv.c
@@ -2277,6 +2277,12 @@ static int s2255_probe(struct usb_interface *interface,
}
/* check the firmware is valid */
fw_size = dev->fw_data->fw->size;
+ if (fw_size < 8) {
+ dev_err(&interface->dev, "Firmware invalid.\n");
+ retval = -ENODEV;
+ goto errorFWMARKER;
+ }
+
pdata = (__le32 *) &dev->fw_data->fw->data[fw_size - 8];

if (*pdata != S2255_FW_MARKER) {