From: Jay Fenlason <fenlason@redhat.com> Date: Mon, 10 Nov 2008 16:06:13 -0500 Subject: [video] uvc: buf overflow in format descriptor parsing Message-id: 20081110210613.GA31653@redhat.com O-Subject: [PATCH RHEL 5.3] bz#470427 CVE-2008-3496 kernel: uvcvideo: Fix a buffer overflow in format descriptor parsing [rhel-5.3] Bugzilla: 470427 CVE: CVE-2008-3496 uvc_driver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/video/uvc/uvc_driver.c b/drivers/media/video/uvc/uvc_driver.c index 9fffdd1..3e1d91b 100644 --- a/drivers/media/video/uvc/uvc_driver.c +++ b/drivers/media/video/uvc/uvc_driver.c @@ -298,7 +298,8 @@ static int uvc_parse_format(struct uvc_device *dev, switch (buffer[2]) { case VS_FORMAT_UNCOMPRESSED: case VS_FORMAT_FRAME_BASED: - if (buflen < 27) { + n = buffer[2] == VS_FORMAT_UNCOMPRESSED ? 27 : 28; + if (buflen < n) { uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming" "interface %d FORMAT error\n", dev->udev->devnum,