nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

media: v4l: ioctl: Validate num_planes before using it

Browse source 
The for loop to reset the memory of the plane reserved fields runs over
num_planes provided by the user without validating it. Ensure num_planes
is no more than VIDEO_MAX_PLANES before the loop.

Fixes: 4e1e0eb0e0 ("media: v4l2-ioctl: Zero v4l2_plane_pix_format reserved fields")

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
This commit is contained in:
Sakari Ailus 2019-01-10 07:43:19 -05:00 committed by Mauro Carvalho Chehab
parent dd91642ac7
commit 9048b2e15b
1 changed files with 8 additions and 0 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

8
drivers/media/v4l2-core/v4l2-ioctl.c
View file

@ -1551,6 +1551,8 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_s_fmt_vid_cap_mplane)) if (unlikely(!ops->vidioc_s_fmt_vid_cap_mplane))
break; break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func); CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++) for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i], CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
bytesperline); bytesperline);
@ -1582,6 +1584,8 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_s_fmt_vid_out_mplane)) if (unlikely(!ops->vidioc_s_fmt_vid_out_mplane))
break; break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func); CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++) for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i], CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
bytesperline); bytesperline);
@ -1650,6 +1654,8 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_try_fmt_vid_cap_mplane)) if (unlikely(!ops->vidioc_try_fmt_vid_cap_mplane))
break; break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func); CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++) for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i], CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
bytesperline); bytesperline);
@ -1681,6 +1687,8 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_try_fmt_vid_out_mplane)) if (unlikely(!ops->vidioc_try_fmt_vid_out_mplane))
break; break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func); CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++) for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i], CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
bytesperline); bytesperline);