From 711b57227da77d3f4caaf349913bebc3f1530bb0 Mon Sep 17 00:00:00 2001 From: RubenKelevra Date: Tue, 1 Jul 2025 20:01:20 +0200 Subject: [PATCH] fix(cam_hal): prevent SOI scan from (1) running on length<3 and (2) over-reading the last 2 bytes Changes: * Store SOI as a 3-byte array (0xFF D8 FF) and use sizeof() everywhere. * Early-exit when length < 3 to avoid over-reading * calculate end index correctly, to avoid over-reading --- driver/cam_hal.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/driver/cam_hal.c b/driver/cam_hal.c index 4daaee7264..b7fb321de7 100644 --- a/driver/cam_hal.c +++ b/driver/cam_hal.c @@ -42,13 +42,21 @@ static const char *TAG = "cam_hal"; static cam_obj_t *cam_obj = NULL; -static const uint32_t JPEG_SOI_MARKER = 0xFFD8FF; // written in little-endian for esp32 -static const uint16_t JPEG_EOI_MARKER = 0xD9FF; // written in little-endian for esp32 +/* JPEG markers in little-endian order (ESP32). */ +static const uint8_t JPEG_SOI_MARKER[] = {0xFF, 0xD8, 0xFF}; /* SOI = FF D8 FF */ +static const uint16_t JPEG_EOI_MARKER = 0xD9FF; /* EOI = FF D9 */ static int cam_verify_jpeg_soi(const uint8_t *inbuf, uint32_t length) { - for (uint32_t i = 0; i < length; i++) { - if (memcmp(&inbuf[i], &JPEG_SOI_MARKER, 3) == 0) { + const size_t soi_len = sizeof(JPEG_SOI_MARKER); + + if (length < soi_len) { + ESP_LOGW(TAG, "NO-SOI"); + return -1; + } + + for (uint32_t i = 0; i <= length - soi_len; i++) { + if (memcmp(&inbuf[i], JPEG_SOI_MARKER, soi_len) == 0) { //ESP_LOGW(TAG, "SOI: %d", (int) i); return i; } @@ -539,4 +547,4 @@ void cam_give_all(void) { bool cam_get_available_frames(void) { return 0 < uxQueueMessagesWaiting(cam_obj->frame_buffer_queue); -} \ No newline at end of file +}