fix(uvc): add mjpeg and uvc payload header checks

Author: TDA-2030

host/class/uvc/usb_host_uvc/CHANGELOG.md

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.4.1] - 2025-11-27
+
+### Added
+
+- Added SOI check to prevent output of corrupted MJPEG frames
+- Moved `usb_types_uvc.h` to `private_include` directory
+- Fixed bulk transfer EOF handling to improve robustness
+
 ## [2.4.0] - 2025-11-21
 
 ### Added

host/class/uvc/usb_host_uvc/host_test/main/streaming/test_streaming_helpers.hpp

@@ -12,7 +12,7 @@
 #include <cstdint>
 
 #include "usb/usb_types_stack.h"
-#include "usb/usb_types_uvc.h"
+#include "usb_types_uvc.h"
 
 extern "C" {
 #include "Mockusb_host.h"

host/class/uvc/usb_host_uvc/idf_component.yml

@@ -1,5 +1,5 @@
 ## IDF Component Manager Manifest File
-version: "2.4.0"
+version: "2.4.1"
 description: USB Host UVC driver
 url: https://github.com/espressif/esp-usb/tree/master/host/class/uvc/usb_host_uvc
 dependencies:

host/class/uvc/usb_host_uvc/include/esp_private/uvc_control.h

@@ -7,6 +7,7 @@
 #pragma once
 
 #include "usb/uvc_host.h"
+#include "usb_types_uvc.h"
 
 #ifdef __cplusplus
 extern "C" {

host/class/uvc/usb_host_uvc/include/usb/uvc_host.h

@@ -8,7 +8,6 @@
 
 #include <stdbool.h>
 #include "usb/usb_host.h"
-#include "usb/usb_types_uvc.h"
 #include "esp_err.h"
 
 // Use this macros for opening a UVC stream with any VID or PID

host/class/uvc/usb_host_uvc/include/usb/usb_types_uvc.h renamed to host/class/uvc/usb_host_uvc/private_include/usb_types_uvc.h

@@ -10,7 +10,7 @@
 // So we include only files with USB specification definitions
 // This interface is also used in host_tests
 #include "usb/usb_types_ch9.h"
-#include "usb/usb_types_uvc.h"
+#include "usb_types_uvc.h"
 
 #define UVC_DESC_FPS_TO_DWFRAMEINTERVAL(fps) (((fps) != 0) ? 10000000.0f / (fps) : 0)
 #define UVC_DESC_DWFRAMEINTERVAL_TO_FPS(dwFrameInterval) (((dwFrameInterval) != 0) ? 10000000.0f / ((float)(dwFrameInterval)) : 0)

host/class/uvc/usb_host_uvc/private_include/uvc_descriptors_priv.h

@@ -90,6 +90,17 @@ static inline void uvc_frame_reset(uvc_host_frame_t *frame)
  */
 void uvc_frame_format_update(uvc_stream_t *uvc_stream, const uvc_host_stream_format_t *vs_format);
 
+/**
+ * @brief Check if UVC payload header is valid
+ *
+ * @param[in] hdr Pointer to UVC payload header
+ * @param[in] packet_len Length of packet in bytes
+ * @return
+ *     - true:  Header is valid
+ *     - false: Header is invalid
+ */
+bool uvc_frame_payload_header_validate(const uvc_payload_header_t *hdr, size_t packet_len);
+
 #ifdef __cplusplus
 }
 #endif

host/class/uvc/usb_host_uvc/private_include/uvc_frame_priv.h

@@ -12,6 +12,7 @@
 
 #include "usb/usb_host.h"
 #include "usb/uvc_host.h"
+#include "usb_types_uvc.h"
 
 #include "freertos/FreeRTOS.h"
 #include "freertos/queue.h"

host/class/uvc/usb_host_uvc/private_include/uvc_types_priv.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -81,50 +81,36 @@ void bulk_transfer_callback(usb_transfer_t *transfer)
     // Consequently, it becomes impossible to distinguish between the last data packet and the EoF header.
     // To address this, the hack discards all frames whose last data packet has the MPS size.
     switch (uvc_stream->single_thread.next_bulk_packet) {
-    case UVC_STREAM_BULK_PACKET_EOF: {
-        const uvc_payload_header_t *payload_header = (const uvc_payload_header_t *)payload;
-        uvc_stream->single_thread.next_bulk_packet = UVC_STREAM_BULK_PACKET_SOF;
-
-        if (payload_header->bmHeaderInfo.end_of_frame) {
-            // Just skip the current frame if the frame_id does not match, we plan to include a better fix in #308
-            // Due to the SOF of the next frame may not be handled， this may result in dropping two consecutive frames.
-            if (payload_header->bmHeaderInfo.error || payload_header->bmHeaderInfo.frame_id != uvc_stream->single_thread.current_frame_id) {
-                uvc_stream->single_thread.skip_current_frame = true;
-            }
-
-            // Get the current frame being processed and clear it from the stream,
-            // so no more data is written to this frame after the end of frame
-            UVC_ENTER_CRITICAL(); // Enter critical section to safely check and modify the stream state.
-            uvc_host_frame_t *this_frame = uvc_stream->dynamic.current_frame;
-            uvc_stream->dynamic.current_frame = NULL;
-
-            // Determine if we should invoke the frame callback:
-            // Only invoke the callback if streaming is active, a frame callback exists,
-            // and we have a valid frame to pass to the user.
-            const bool invoke_fb_callback = (uvc_stream->dynamic.streaming && uvc_stream->constant.frame_cb && this_frame && !uvc_stream->single_thread.skip_current_frame);
-            UVC_EXIT_CRITICAL();
-
-            bool return_frame = true; // Default to returning the frame in case streaming has been stopped
-            if (invoke_fb_callback) {
-                // Call the user's frame callback. If the callback returns false,
-                // we do not return the frame to the empty queue (i.e., the user wants to keep it for processing)
-                return_frame = uvc_stream->constant.frame_cb(this_frame, uvc_stream->constant.cb_arg);
-            }
-            if (return_frame) {
-                // If the user has processed the frame (or the stream is stopped), return it to the empty frame queue
-                uvc_host_frame_return(uvc_stream, this_frame);
-            }
-            break;
-        }
-
-        __attribute__((fallthrough));  // Fall through! This is not EoF but SoF!
-    }
     case UVC_STREAM_BULK_PACKET_SOF: {
         const uvc_payload_header_t *payload_header = (const uvc_payload_header_t *)payload;
 
         // We detected start of new frame. Update Frame ID and start fetching this frame
         uvc_stream->single_thread.current_frame_id   = payload_header->bmHeaderInfo.frame_id;
         uvc_stream->single_thread.skip_current_frame = payload_header->bmHeaderInfo.error; // Check for error flag
+        // Validate header before accessing it
+        if (!uvc_frame_payload_header_validate(payload_header, transfer->actual_num_bytes)) {
+            ESP_LOGD(TAG, "invalid UVC payload header, %02x, %02x, len:%d", payload[0], payload[1], transfer->actual_num_bytes);
+            uvc_stream->single_thread.skip_current_frame = true;
+            goto skip_sof;
+        }
+        payload_data     += payload_header->bHeaderLength; // Pointer arithmetic!
+        payload_data_len -= payload_header->bHeaderLength;
+
+        // Drop frame if device signals error in header
+        if (payload_header->bmHeaderInfo.error) {
+            ESP_LOGW(TAG, "frame error flag set");
+            uvc_stream->single_thread.skip_current_frame = true;
+            goto skip_sof;
+        }
+
+        // Check mjpeg frame start
+        if (uvc_stream->dynamic.vs_format.format == UVC_VS_FORMAT_MJPEG &&
+                (payload_data[0] != 0xff || payload_data[1] != 0xd8)) {
+            // We received frame with invalid frame, skip this frame
+            uvc_stream->single_thread.skip_current_frame = true;
+            ESP_LOGW(TAG, "invalid MJPEG SOI");
+            goto skip_sof;
+        }
 
         // Get free frame buffer for this new frame
         UVC_ENTER_CRITICAL();
@@ -150,17 +136,11 @@ void bulk_transfer_callback(usb_transfer_t *transfer)
             uvc_frame_reset(uvc_stream->dynamic.current_frame);
             UVC_EXIT_CRITICAL();
         }
-
-        payload_data     += payload_header->bHeaderLength; // Pointer arithmetic!
-        payload_data_len -= payload_header->bHeaderLength;
+skip_sof:
         uvc_stream->single_thread.next_bulk_packet = UVC_STREAM_BULK_PACKET_DATA;
         __attribute__((fallthrough));  // Fall through! There can be data after SoF!
     }
     case UVC_STREAM_BULK_PACKET_DATA: {
-        // We got short packet in data section, next packet is EoF
-        if (transfer->data_buffer_size > transfer->actual_num_bytes) {
-            uvc_stream->single_thread.next_bulk_packet = UVC_STREAM_BULK_PACKET_EOF;
-        }
         // Add received data to frame buffer
         if (!uvc_stream->single_thread.skip_current_frame) {
             uvc_host_frame_t *current_frame = UVC_ATOMIC_LOAD(uvc_stream->dynamic.current_frame);
@@ -179,7 +159,40 @@ void bulk_transfer_callback(usb_transfer_t *transfer)
                 }
             }
         }
+        // We got short packet in data section, this packet is EoF
+        if (transfer->data_buffer_size > transfer->actual_num_bytes) {
+            uvc_stream->single_thread.next_bulk_packet = UVC_STREAM_BULK_PACKET_EOF;
+        } else {
+            break; //only break if we have got full packet
+        }
+    }
+    case UVC_STREAM_BULK_PACKET_EOF: {
+        uvc_stream->single_thread.next_bulk_packet = UVC_STREAM_BULK_PACKET_SOF;
+
+        // Get the current frame being processed and clear it from the stream,
+        // so no more data is written to this frame after the end of frame
+        UVC_ENTER_CRITICAL(); // Enter critical section to safely check and modify the stream state.
+        uvc_host_frame_t *this_frame = uvc_stream->dynamic.current_frame;
+        uvc_stream->dynamic.current_frame = NULL;
+
+        // Determine if we should invoke the frame callback:
+        // Only invoke the callback if streaming is active, a frame callback exists,
+        // and we have a valid frame to pass to the user.
+        const bool invoke_fb_callback = (uvc_stream->dynamic.streaming && uvc_stream->constant.frame_cb && this_frame && !uvc_stream->single_thread.skip_current_frame);
+        UVC_EXIT_CRITICAL();
+
+        bool return_frame = true; // Default to returning the frame in case streaming has been stopped
+        if (invoke_fb_callback) {
+            // Call the user's frame callback. If the callback returns false,
+            // we do not return the frame to the empty queue (i.e., the user wants to keep it for processing)
+            return_frame = uvc_stream->constant.frame_cb(this_frame, uvc_stream->constant.cb_arg);
+        }
+        if (return_frame) {
+            // If the user has processed the frame (or the stream is stopped), return it to the empty frame queue
+            uvc_host_frame_return(uvc_stream, this_frame);
+        }
         break;
+
     }
     default: abort();
     }