fix(cam_hal): prevent SOI scan from (1) running on length<3

RubenKelevra · RubenKelevra · commit 711b57227da7 · 2025-07-01T20:13:37.000+02:00
and (2) over-reading the last 2 bytes

Changes:
* Store SOI as a 3-byte array (0xFF D8 FF) and use sizeof() everywhere.
* Early-exit when length &lt; 3 to avoid over-reading
* calculate end index correctly, to avoid over-reading
diff --git a/driver/cam_hal.c b/driver/cam_hal.c
@@ -42,13 +42,21 @@
 static const char *TAG = "cam_hal";
 static cam_obj_t *cam_obj = NULL;
 
-static const uint32_t JPEG_SOI_MARKER = 0xFFD8FF;  // written in little-endian for esp32
-static const uint16_t JPEG_EOI_MARKER = 0xD9FF;  // written in little-endian for esp32
+/* JPEG markers in little-endian order (ESP32). */
+static const uint8_t JPEG_SOI_MARKER[] = {0xFF, 0xD8, 0xFF}; /* SOI = FF D8 FF */
+static const uint16_t JPEG_EOI_MARKER = 0xD9FF;              /* EOI = FF D9 */
 
 static int cam_verify_jpeg_soi(const uint8_t *inbuf, uint32_t length)
 {
-    for (uint32_t i = 0; i < length; i++) {
-        if (memcmp(&inbuf[i], &JPEG_SOI_MARKER, 3) == 0) {
+    const size_t soi_len = sizeof(JPEG_SOI_MARKER);
+
+    if (length < soi_len) {
+        ESP_LOGW(TAG, "NO-SOI");
+        return -1;
+    }
+
+    for (uint32_t i = 0; i <= length - soi_len; i++) {
+        if (memcmp(&inbuf[i], JPEG_SOI_MARKER, soi_len) == 0) {
             //ESP_LOGW(TAG, "SOI: %d", (int) i);
             return i;
         }
@@ -539,4 +547,4 @@ void cam_give_all(void) {
 bool cam_get_available_frames(void)
 {
     return 0 < uxQueueMessagesWaiting(cam_obj->frame_buffer_queue);
-}
+}
