[libcamera-devel,14/15] v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf

4058 diff mbox series

There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
---
 src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

Hi Paul,

On Tue, Jun 16, 2020 at 10:12:43PM +0900, Paul Elder wrote:
> There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
> VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.
>

Seems reasonable!
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>

Thanks
  j

> Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
> ---
>  src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
> index 81f9282..e4d534a 100644
> --- a/src/v4l2/v4l2_camera_proxy.cpp
> +++ b/src/v4l2/v4l2_camera_proxy.cpp
> @@ -588,6 +588,9 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg)
>  	if (arg == nullptr)
>  		return -EFAULT;
>
> +	if (arg->index >= bufferCount_)
> +		return -EINVAL;
> +
>  	int ret = lock(fd);
>  	if (ret < 0)
>  		return ret;
> @@ -610,6 +613,9 @@ int V4L2CameraProxy::vidioc_qbuf(int fd, struct v4l2_buffer *arg)
>  	if (arg == nullptr)
>  		return -EFAULT;
>
> +	if (arg->index >= bufferCount_)
> +		return -EINVAL;
> +
>  	int ret = lock(fd);
>  	if (ret < 0)
>  		return ret;
> @@ -639,6 +645,9 @@ int V4L2CameraProxy::vidioc_dqbuf(int fd, struct v4l2_buffer *arg)
>  	if (!streaming_)
>  		return -EINVAL;
>
> +	if (arg->index >= bufferCount_)
> +		return -EINVAL;
> +
>  	int ret = lock(fd);
>  	if (ret < 0)
>  		return ret;
> --
> 2.27.0
>
> _______________________________________________
> libcamera-devel mailing list
> libcamera-devel@lists.libcamera.org
> https://lists.libcamera.org/listinfo/libcamera-devel

On Wed, Jun 17, 2020 at 05:37:40PM +0200, Jacopo Mondi wrote:
> On Tue, Jun 16, 2020 at 10:12:43PM +0900, Paul Elder wrote:
> > There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
> > VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.
> 
> Seems reasonable!
> Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>

Likewise,

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

> > Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
> > ---
> >  src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
> >  1 file changed, 9 insertions(+)
> >
> > diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
> > index 81f9282..e4d534a 100644
> > --- a/src/v4l2/v4l2_camera_proxy.cpp
> > +++ b/src/v4l2/v4l2_camera_proxy.cpp
> > @@ -588,6 +588,9 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg)
> >  	if (arg == nullptr)
> >  		return -EFAULT;
> >
> > +	if (arg->index >= bufferCount_)
> > +		return -EINVAL;
> > +
> >  	int ret = lock(fd);
> >  	if (ret < 0)
> >  		return ret;
> > @@ -610,6 +613,9 @@ int V4L2CameraProxy::vidioc_qbuf(int fd, struct v4l2_buffer *arg)
> >  	if (arg == nullptr)
> >  		return -EFAULT;
> >
> > +	if (arg->index >= bufferCount_)
> > +		return -EINVAL;
> > +
> >  	int ret = lock(fd);
> >  	if (ret < 0)
> >  		return ret;
> > @@ -639,6 +645,9 @@ int V4L2CameraProxy::vidioc_dqbuf(int fd, struct v4l2_buffer *arg)
> >  	if (!streaming_)
> >  		return -EINVAL;
> >
> > +	if (arg->index >= bufferCount_)
> > +		return -EINVAL;
> > +
> >  	int ret = lock(fd);
> >  	if (ret < 0)
> >  		return ret;