From ee92090425c2c5234ec697105b3d3453e14a2ec0 Mon Sep 17 00:00:00 2001 From: RubenKelevra Date: Tue, 1 Jul 2025 18:55:50 +0200 Subject: [PATCH] fix(cam_hal): guard cam_verify_jpeg_eoi() against buffer-underflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If DMA returns a frame shorter than two bytes, the previous code did: dptr = inbuf + length - 2; which under-flows the pointer and produces undefined behaviour. Behaviour for valid frames (length ≥ 2) is unchanged; damaged or empty buffers are now discarded safely. --- driver/cam_hal.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/driver/cam_hal.c b/driver/cam_hal.c index fa668b3b74..f244e2f871 100644 --- a/driver/cam_hal.c +++ b/driver/cam_hal.c @@ -46,6 +46,7 @@ static cam_obj_t *cam_obj = NULL; static const uint8_t JPEG_SOI_MARKER[] = {0xFF, 0xD8, 0xFF}; /* SOI = FF D8 FF */ #define JPEG_SOI_MARKER_LEN (3) static const uint16_t JPEG_EOI_MARKER = 0xD9FF; /* EOI = FF D9 */ +#define JPEG_EOI_MARKER_LEN (2) static int cam_verify_jpeg_soi(const uint8_t *inbuf, uint32_t length) { @@ -66,10 +67,14 @@ static int cam_verify_jpeg_soi(const uint8_t *inbuf, uint32_t length) static int cam_verify_jpeg_eoi(const uint8_t *inbuf, uint32_t length) { + if (length < JPEG_EOI_MARKER_LEN) { + return -1; + } + int offset = -1; - uint8_t *dptr = (uint8_t *)inbuf + length - 2; + uint8_t *dptr = (uint8_t *)inbuf + length - JPEG_EOI_MARKER_LEN; while (dptr > inbuf) { - if (memcmp(dptr, &JPEG_EOI_MARKER, 2) == 0) { + if (memcmp(dptr, &JPEG_EOI_MARKER, JPEG_EOI_MARKER_LEN) == 0) { offset = dptr - inbuf; //ESP_LOGW(TAG, "EOI: %d", length - (offset + 2)); return offset;