fix(cam_hal): guard cam_verify_jpeg_eoi() against buffer-underflow #759

RubenKelevra · 2025-07-01T16:58:34Z

Description

If DMA returns a frame shorter than two bytes, the previous code did:

dptr = inbuf + length - 2;

which under-flows the pointer and produces undefined behaviour.

Behaviour for valid frames (length ≥ 2) is unchanged; damaged or empty buffers are now discarded safely.

Testing

@turenkomv would you be so kind and would test this on your hardware? Tag is fixes_for_m5_0.2, which is the currently used version in ESPHome with both patches on top.

Checklist

Before submitting a Pull Request, please ensure the following:

🚨 This PR does not introduce breaking changes.
All CI checks (GH Actions) pass. (?)
Documentation is updated as needed.
Tests are updated or added as necessary.
Code is well-commented, especially in complex areas.
Git history is clean — commits are squashed to the minimum necessary.

turenkomv · 2025-07-01T17:28:58Z

No effect, still getting the same error.

Just to double-check — am I only testing the changes from this PR, and not these ones #758 ?

RubenKelevra · 2025-07-01T17:32:36Z

Just to double-check — am I only testing the changes from this PR, and not these ones #758 ?

No, please both changes. The tag fixes_for_m5_0.2 I've prepared for your contains both fixes on top of 2.0.15, which is the version used in ESPHome.

turenkomv · 2025-07-01T17:38:58Z

Tried fixes_for_m5_0.2 — no changes, same behavior

RubenKelevra · 2025-07-01T17:42:52Z

Yeah, I found the next bug.

Grab a coffee, this may take a while :D

turenkomv · 2025-07-01T18:12:41Z

Enabled the flags:

CONFIG_FREERTOS_WATCHPOINT_END_OF_STACK: "y"
CONFIG_FREERTOS_CHECK_STACKOVERFLOW: "2"

Here's the output from xtensa-esp32s3-elf-addr2line — hopefully this helps:

C:\Projects\xtensa-esp32s3-elf-gcc8_4_0-esp-2021r2-win32\xtensa-esp32s3-elf\bin>xtensa-esp32s3-elf-addr2line.exe -pfiaC -e "C:\Projects\m5stack-camera-1\.esphome\build\m5stack-camera-1\.pioenvs\m5stack-camera-1\firmware.elf" 0x4037ef47 0x420484af 0x420485d5 0x4200f951 0x42016a3e 0x420a4a49 0x403845b2 0x4201a72a 0x42019cca 0x4200bbfa
0x4037ef47: xPortSetInterruptMaskFromISR at C:\Users\turen\.platformio\packages\framework-espidf\components\freertos\FreeRTOS-Kernel\portable\xtensa\include\freertos/portmacro.h:552
 (inlined by) xPortEnterCriticalTimeout at C:\Users\turen\.platformio\packages\framework-espidf\components\freertos\FreeRTOS-Kernel\portable\xtensa/port.c:478
0x420484af: vPortEnterCritical at C:\Users\turen\.platformio\packages\framework-espidf\components\freertos\FreeRTOS-Kernel\portable\xtensa\include\freertos/portmacro.h:567
 (inlined by) find_key at C:\Users\turen\.platformio\packages\framework-espidf\components\pthread/pthread_local_storage.c:77
0x420485d5: pthread_setspecific at C:\Users\turen\.platformio\packages\framework-espidf\components\pthread/pthread_local_storage.c:199
0x4200f951: esphome::logger::Logger::check_and_set_task_log_recursion_(bool) at C:\Projects\m5stack-camera-1\.esphome\build\m5stack-camera-1/src/esphome/components/logger/logger.h:298
 (inlined by) esphome::logger::Logger::check_and_set_task_log_recursion_(bool) at C:\Projects\m5stack-camera-1\.esphome\build\m5stack-camera-1/src/esphome/components/logger/logger.h:287
 (inlined by) esphome::logger::Logger::log_vprintf_(unsigned char, char const*, int, char const*, __va_list_tag) at C:\Projects\m5stack-camera-1\.esphome\build\m5stack-camera-1/src/esphome/components/logger/logger.cpp:35
0x42016a3e: esphome::esp_idf_log_vprintf_(char const*, __va_list_tag) at C:\Projects\m5stack-camera-1\.esphome\build\m5stack-camera-1/src/esphome/core/log.cpp:56
0x420a4a49: esp_log_writev at C:\Users\turen\.platformio\packages\framework-espidf\components\log/log.c:210
0x403845b2: esp_log_write at C:\Users\turen\.platformio\packages\framework-espidf\components\log/log.c:220
0x4201a72a: cam_take at C:\Projects\m5stack-camera-1\.esphome\build\m5stack-camera-1/managed_components/espressif__esp32-camera/driver/cam_hal.c:494 (discriminator 1)
0x42019cca: esp_camera_fb_get at C:\Projects\m5stack-camera-1\.esphome\build\m5stack-camera-1/managed_components/espressif__esp32-camera/driver/esp_camera.c:372
0x4200bbfa: esphome::esp32_camera::ESP32Camera::framebuffer_task(void*) at C:\Projects\m5stack-camera-1\.esphome\build\m5stack-camera-1/src/esphome/components/esp32_camera/esp32_camera.cpp:412

RubenKelevra · 2025-07-01T18:30:53Z

Yes, that's very helpful.

RubenKelevra · 2025-07-01T18:40:06Z

I found the culprit. I'll provide another fix.

me-no-dev · 2025-07-14T10:19:06Z

Do not use sizeof here and please let me know in whta order your PRs need to go in. they seem all mixed up

RubenKelevra · 2025-07-14T10:35:48Z

Hey @me-no-dev,

I'm sorry for the confusion: So #758 (which was already merged), this one, and #760 are completely independent from each other.

#765 however requires all 3 independent PRs to be merged, that's why it contained the commits of the unmerged PRs. I've removed the already merged PR #758 from it.

If DMA returns a frame shorter than two bytes, the previous code did: dptr = inbuf + length - 2; which under-flows the pointer and produces undefined behaviour. Behaviour for valid frames (length ≥ 2) is unchanged; damaged or empty buffers are now discarded safely.

me-no-dev · 2025-07-14T11:53:45Z

ready for review and merge?

RubenKelevra · 2025-07-14T11:55:40Z

Do not use sizeof here

Fixed. Ready for merge.

RubenKelevra mentioned this pull request Jul 1, 2025

fix(cam_hal): replace recursive cam_take() with bounded loop prevents stack-overflow in cam_task #758

Merged

6 tasks

This was referenced Jul 1, 2025

fix(cam_hal): throttle WARN spam so cam_task reduces it's stack footprint #761

Closed

cam_hal: shrink ISR stack, silence spam, strip logs at low levels #765

Merged

RubenKelevra marked this pull request as draft July 14, 2025 10:33

RubenKelevra force-pushed the fix_jpeg-eoi-underflow branch from db1989a to ee92090 Compare July 14, 2025 11:21

RubenKelevra marked this pull request as ready for review July 14, 2025 11:55

me-no-dev merged commit a42fe29 into espressif:master Jul 14, 2025
30 checks passed

RubenKelevra deleted the fix_jpeg-eoi-underflow branch July 15, 2025 19:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(cam_hal): guard cam_verify_jpeg_eoi() against buffer-underflow #759

fix(cam_hal): guard cam_verify_jpeg_eoi() against buffer-underflow #759

RubenKelevra commented Jul 1, 2025 •

edited

Loading

Uh oh!

turenkomv commented Jul 1, 2025

Uh oh!

RubenKelevra commented Jul 1, 2025

Uh oh!

turenkomv commented Jul 1, 2025

Uh oh!

RubenKelevra commented Jul 1, 2025

Uh oh!

turenkomv commented Jul 1, 2025

Uh oh!

RubenKelevra commented Jul 1, 2025

Uh oh!

RubenKelevra commented Jul 1, 2025

Uh oh!

me-no-dev commented Jul 14, 2025

Uh oh!

RubenKelevra commented Jul 14, 2025

Uh oh!

me-no-dev commented Jul 14, 2025

Uh oh!

RubenKelevra commented Jul 14, 2025

Uh oh!

Uh oh!

Uh oh!

fix(cam_hal): guard cam_verify_jpeg_eoi() against buffer-underflow #759

fix(cam_hal): guard cam_verify_jpeg_eoi() against buffer-underflow #759

Conversation

RubenKelevra commented Jul 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Related

Testing

Checklist

Uh oh!

turenkomv commented Jul 1, 2025

Uh oh!

RubenKelevra commented Jul 1, 2025

Uh oh!

turenkomv commented Jul 1, 2025

Uh oh!

RubenKelevra commented Jul 1, 2025

Uh oh!

turenkomv commented Jul 1, 2025

Uh oh!

RubenKelevra commented Jul 1, 2025

Uh oh!

RubenKelevra commented Jul 1, 2025

Uh oh!

me-no-dev commented Jul 14, 2025

Uh oh!

RubenKelevra commented Jul 14, 2025

Uh oh!

me-no-dev commented Jul 14, 2025

Uh oh!

RubenKelevra commented Jul 14, 2025

Uh oh!

Uh oh!

Uh oh!

RubenKelevra commented Jul 1, 2025 •

edited

Loading