{"id":8416,"url":"https://patchwork.libcamera.org/api/patches/8416/?format=json","web_url":"https://patchwork.libcamera.org/patch/8416/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20200624145256.48266-19-paul.elder@ideasonboard.com>","date":"2020-06-24T14:52:52","name":"[libcamera-devel,v4,18/22] v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"92d9336d0d8fd0a953c0b09d4e7f8cf2e42df281","submitter":{"id":17,"url":"https://patchwork.libcamera.org/api/people/17/?format=json","name":"Paul Elder","email":"paul.elder@ideasonboard.com"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/8416/mbox/","series":[{"id":1041,"url":"https://patchwork.libcamera.org/api/series/1041/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=1041","date":"2020-06-24T14:52:34","name":"Support v4l2-compliance","version":4,"mbox":"https://patchwork.libcamera.org/series/1041/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/8416/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/8416/checks/","tags":{},"headers":{"Return-Path":"<paul.elder@ideasonboard.com>","Received":["from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 0EBF9609C7\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tWed, 24 Jun 2020 16:53:59 +0200 (CEST)","from jade.rasen.tech (unknown\n\t[IPv6:2400:4051:61:600:8147:f2a2:a8c6:9087])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id E9E9A2A8;\n\tWed, 24 Jun 2020 16:53:56 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"aXFHeXm+\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1593010438;\n\tbh=JTCBD0W7YzEbkXc5BhCVTvw3r7+8ZOtn8SCRH6eGFQg=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=aXFHeXm+z/CsPiQGTTesXbfXjaCpjXqcNhpBeEmOD1vdnwLpZiYER05cV43qf9T6z\n\tjWBU2EOeLCjfj0wnUt2lR6SM6e497nyw79MLf32ooYhUydajLcoTtuy6RyXZRP94Jb\n\tarSkZi6Vuy/43AsbH6sdW5koboLw9a6gHhNn99B4=","From":"Paul Elder <paul.elder@ideasonboard.com>","To":"libcamera-devel@lists.libcamera.org","Date":"Wed, 24 Jun 2020 23:52:52 +0900","Message-Id":"<20200624145256.48266-19-paul.elder@ideasonboard.com>","X-Mailer":"git-send-email 2.27.0","In-Reply-To":"<20200624145256.48266-1-paul.elder@ideasonboard.com>","References":"<20200624145256.48266-1-paul.elder@ideasonboard.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH v4 18/22] v4l2: v4l2_camera_proxy: Check\n\targ->index bounds for querybuf, qbuf, dqbuf","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"<libcamera-devel.lists.libcamera.org>","List-Unsubscribe":"<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>","List-Archive":"<https://lists.libcamera.org/pipermail/libcamera-devel/>","List-Post":"<mailto:libcamera-devel@lists.libcamera.org>","List-Help":"<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>","List-Subscribe":"<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>","X-List-Received-Date":"Wed, 24 Jun 2020 14:53:59 -0000"},"content":"There were no bounds checks for the index argument for VIDIOC_QUERYBUF,\nVIDIOC_QBUF, and VIDIOC_DQBUF. Add them.\n\nSigned-off-by: Paul Elder <paul.elder@ideasonboard.com>\nReviewed-by: Jacopo Mondi <jacopo@jmondi.org>\nReviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n\n---\nNo change in v4\n\nChanges in v3:\n- don't check for ownership on querybuf\n\nNo change in v2\n---\n src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++\n 1 file changed, 9 insertions(+)","diff":"diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp\nindex 4c140eb..2aff53e 100644\n--- a/src/v4l2/v4l2_camera_proxy.cpp\n+++ b/src/v4l2/v4l2_camera_proxy.cpp\n@@ -541,6 +541,9 @@ int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *file, struct v4l2_buffer *a\n {\n \tLOG(V4L2Compat, Debug) << \"Servicing vidioc_querybuf fd = \" << file->efd();\n \n+\tif (arg->index >= bufferCount_)\n+\t\treturn -EINVAL;\n+\n \tif (!validateBufferType(arg->type) ||\n \t    arg->index >= bufferCount_)\n \t\treturn -EINVAL;\n@@ -557,6 +560,9 @@ int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)\n \tLOG(V4L2Compat, Debug) << \"Servicing vidioc_qbuf, index = \"\n \t\t\t       << arg->index << \" fd = \" << file->efd();\n \n+\tif (arg->index >= bufferCount_)\n+\t\treturn -EINVAL;\n+\n \tif (!hasOwnership(file))\n \t\treturn -EBUSY;\n \n@@ -579,6 +585,9 @@ int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)\n {\n \tLOG(V4L2Compat, Debug) << \"Servicing vidioc_dqbuf fd = \" << file->efd();\n \n+\tif (arg->index >= bufferCount_)\n+\t\treturn -EINVAL;\n+\n \tif (!hasOwnership(file))\n \t\treturn -EBUSY;\n \n","prefixes":["libcamera-devel","v4","18/22"]}