Merge pull request #760 from RubenKelevra/fix_jpeg-soi-overread

me-no-dev · web-flow · commit cbed97ce6d3f · 2025-07-14T14:15:15.000+03:00
fix(cam_hal): prevent SOI scan from (1) running on length&lt;3 and (2) over-reading the last 2 bytes
diff --git a/driver/cam_hal.c b/driver/cam_hal.c
@@ -42,13 +42,20 @@
 static const char *TAG = "cam_hal";
 static cam_obj_t *cam_obj = NULL;
 
-static const uint32_t JPEG_SOI_MARKER = 0xFFD8FF;  // written in little-endian for esp32
-static const uint16_t JPEG_EOI_MARKER = 0xD9FF;  // written in little-endian for esp32
+/* JPEG markers in little-endian order (ESP32). */
+static const uint8_t JPEG_SOI_MARKER[] = {0xFF, 0xD8, 0xFF}; /* SOI = FF D8 FF */
+#define JPEG_SOI_MARKER_LEN (3)
+static const uint16_t JPEG_EOI_MARKER = 0xD9FF;              /* EOI = FF D9 */
 
 static int cam_verify_jpeg_soi(const uint8_t *inbuf, uint32_t length)
 {
-    for (uint32_t i = 0; i < length; i++) {
-        if (memcmp(&inbuf[i], &JPEG_SOI_MARKER, 3) == 0) {
+    if (length < JPEG_SOI_MARKER_LEN) {
+        ESP_LOGW(TAG, "NO-SOI");
+        return -1;
+    }
+
+    for (uint32_t i = 0; i <= length - JPEG_SOI_MARKER_LEN; i++) {
+        if (memcmp(&inbuf[i], JPEG_SOI_MARKER, JPEG_SOI_MARKER_LEN) == 0) {
             //ESP_LOGW(TAG, "SOI: %d", (int) i);
             return i;
         }
