media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

jira LE-2349
cve CVE-2024-53104
Rebuild_History Non-Buildable kernel-4.18.0-553.40.1.el8_10
commit-author Benoit Sevens <[email protected]>
commit ecf2b43

This can lead to out of bounds writes since frames of this type were not
taken into account when calculating the size of the frames buffer in
uvc_parse_streaming.

Fixes: c0efd23 ("V4L/DVB (8145a): USB Video Class driver")
	Signed-off-by: Benoit Sevens <[email protected]>
	Cc: [email protected]
	Acked-by: Greg Kroah-Hartman <[email protected]>
	Reviewed-by: Laurent Pinchart <[email protected]>
	Signed-off-by: Hans Verkuil <[email protected]>
(cherry picked from commit ecf2b43)
	Signed-off-by: Jonathan Maple <[email protected]>

Author: PlaidCat

drivers/media/usb/uvc/uvc_driver.c

@@ -368,7 +368,7 @@ static int uvc_parse_format(struct uvc_device *dev,
 	 * Parse the frame descriptors. Only uncompressed, MJPEG and frame
 	 * based formats have frame descriptors.
 	 */
-	while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
+	while (ftype && buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE &&
 	       buffer[2] == ftype) {
 		frame = &format->frame[format->nframes];
 		if (ftype != UVC_VS_FRAME_FRAME_BASED)