[media] gspca_topro: Add a couple of missing length check in the packet parsing code

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>

diff --git a/drivers/media/usb/gspca/topro.c b/drivers/media/usb/gspca/topro.c
index 640c2fe760b3c4e13c687eefbde34e156025d648..5fcd1eec2004ae97b1ed61df808cf3e97bc1adf4 100644 (file)
--- a/drivers/media/usb/gspca/topro.c
+++ b/drivers/media/usb/gspca/topro.c
@@ -4631,8 +4631,16 @@ static void sd_pkt_scan(struct gspca_dev *gspca_dev,
                }
                data++;
                len--;
+               if (len < 2) {
+                       gspca_dev->last_packet_type = DISCARD_PACKET;
+                       return;
+               }
                if (*data == 0xff && data[1] == 0xd8) {
 /*fixme: there may be information in the 4 high bits*/
+                       if (len < 7) {
+                               gspca_dev->last_packet_type = DISCARD_PACKET;
+                               return;
+                       }
                        if ((data[6] & 0x0f) != sd->quality)
                                set_dqt(gspca_dev, data[6] & 0x0f);
                        gspca_frame_add(gspca_dev, FIRST_PACKET,
@@ -4672,7 +4680,7 @@ static void sd_pkt_scan(struct gspca_dev *gspca_dev,
                gspca_dev->last_packet_type = DISCARD_PACKET;
                break;
        case 0xcc:
-               if (data[1] != 0xff || data[2] != 0xd8)
+               if (len >= 3 && (data[1] != 0xff || data[2] != 0xd8))
                        gspca_frame_add(gspca_dev, INTER_PACKET,
                                        data + 1, len - 1);
                else