From db1989abde97f9884b183681d803a4d0477ff311 Mon Sep 17 00:00:00 2001 From: RubenKelevra Date: Tue, 1 Jul 2025 18:55:50 +0200 Subject: [PATCH] fix(cam_hal): guard cam_verify_jpeg_eoi() against buffer-underflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If DMA returns a frame shorter than two bytes, the previous code did: dptr = inbuf + length - 2; which under-flows the pointer and produces undefined behaviour. Behaviour for valid frames (length ≥ 2) is unchanged; damaged or empty buffers are now discarded safely. --- driver/cam_hal.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/driver/cam_hal.c b/driver/cam_hal.c index 4daaee7264..ea3a423165 100644 --- a/driver/cam_hal.c +++ b/driver/cam_hal.c @@ -59,10 +59,14 @@ static int cam_verify_jpeg_soi(const uint8_t *inbuf, uint32_t length) static int cam_verify_jpeg_eoi(const uint8_t *inbuf, uint32_t length) { + if (length < sizeof(JPEG_EOI_MARKER)) { + return -1; + } + int offset = -1; - uint8_t *dptr = (uint8_t *)inbuf + length - 2; + uint8_t *dptr = (uint8_t *)inbuf + length - sizeof(JPEG_EOI_MARKER); while (dptr > inbuf) { - if (memcmp(dptr, &JPEG_EOI_MARKER, 2) == 0) { + if (memcmp(dptr, &JPEG_EOI_MARKER, sizeof(JPEG_EOI_MARKER)) == 0) { offset = dptr - inbuf; //ESP_LOGW(TAG, "EOI: %d", length - (offset + 2)); return offset;