media: ccs: Fix CCS static data parsing for large block sizes

The length field of the CCS static data blocks was mishandled, leading to
wrong interpretation of the length header for blocks that are 16 kiB in
size. Such large blocks are very, very rare and so this wasn't found
earlier.

As the length is used as part of input validation, the issue has no
security implications.

Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

diff --git a/drivers/media/i2c/ccs/ccs-data.c b/drivers/media/i2c/ccs/ccs-data.c
index 08400edf77ced1315423bea00621a1c607b46db4..9d42137f4799519eb72d9f819d178f511456a82b 100644 (file)
--- a/drivers/media/i2c/ccs/ccs-data.c
+++ b/drivers/media/i2c/ccs/ccs-data.c
@@ -97,7 +97,7 @@ ccs_data_parse_length_specifier(const struct __ccs_data_length_specifier *__len,
                plen = ((size_t)
                        (__len3->length[0] &
                         ((1 << CCS_DATA_LENGTH_SPECIFIER_SIZE_SHIFT) - 1))
-                       << 16) + (__len3->length[0] << 8) + __len3->length[1];
+                       << 16) + (__len3->length[1] << 8) + __len3->length[2];
                break;
        }
        default: