Message ID | 20200616131244.70308-15-paul.elder@ideasonboard.com |
---|---|
State | Superseded |
Headers | show |
Series |
|
Related | show |
Hi Paul, On Tue, Jun 16, 2020 at 10:12:43PM +0900, Paul Elder wrote: > There were no bounds checks for the index argument for VIDIOC_QUERYBUF, > VIDIOC_QBUF, and VIDIOC_DQBUF. Add them. > Seems reasonable! Reviewed-by: Jacopo Mondi <jacopo@jmondi.org> Thanks j > Signed-off-by: Paul Elder <paul.elder@ideasonboard.com> > --- > src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp > index 81f9282..e4d534a 100644 > --- a/src/v4l2/v4l2_camera_proxy.cpp > +++ b/src/v4l2/v4l2_camera_proxy.cpp > @@ -588,6 +588,9 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg) > if (arg == nullptr) > return -EFAULT; > > + if (arg->index >= bufferCount_) > + return -EINVAL; > + > int ret = lock(fd); > if (ret < 0) > return ret; > @@ -610,6 +613,9 @@ int V4L2CameraProxy::vidioc_qbuf(int fd, struct v4l2_buffer *arg) > if (arg == nullptr) > return -EFAULT; > > + if (arg->index >= bufferCount_) > + return -EINVAL; > + > int ret = lock(fd); > if (ret < 0) > return ret; > @@ -639,6 +645,9 @@ int V4L2CameraProxy::vidioc_dqbuf(int fd, struct v4l2_buffer *arg) > if (!streaming_) > return -EINVAL; > > + if (arg->index >= bufferCount_) > + return -EINVAL; > + > int ret = lock(fd); > if (ret < 0) > return ret; > -- > 2.27.0 > > _______________________________________________ > libcamera-devel mailing list > libcamera-devel@lists.libcamera.org > https://lists.libcamera.org/listinfo/libcamera-devel
On Wed, Jun 17, 2020 at 05:37:40PM +0200, Jacopo Mondi wrote: > On Tue, Jun 16, 2020 at 10:12:43PM +0900, Paul Elder wrote: > > There were no bounds checks for the index argument for VIDIOC_QUERYBUF, > > VIDIOC_QBUF, and VIDIOC_DQBUF. Add them. > > Seems reasonable! > Reviewed-by: Jacopo Mondi <jacopo@jmondi.org> Likewise, Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > Signed-off-by: Paul Elder <paul.elder@ideasonboard.com> > > --- > > src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp > > index 81f9282..e4d534a 100644 > > --- a/src/v4l2/v4l2_camera_proxy.cpp > > +++ b/src/v4l2/v4l2_camera_proxy.cpp > > @@ -588,6 +588,9 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg) > > if (arg == nullptr) > > return -EFAULT; > > > > + if (arg->index >= bufferCount_) > > + return -EINVAL; > > + > > int ret = lock(fd); > > if (ret < 0) > > return ret; > > @@ -610,6 +613,9 @@ int V4L2CameraProxy::vidioc_qbuf(int fd, struct v4l2_buffer *arg) > > if (arg == nullptr) > > return -EFAULT; > > > > + if (arg->index >= bufferCount_) > > + return -EINVAL; > > + > > int ret = lock(fd); > > if (ret < 0) > > return ret; > > @@ -639,6 +645,9 @@ int V4L2CameraProxy::vidioc_dqbuf(int fd, struct v4l2_buffer *arg) > > if (!streaming_) > > return -EINVAL; > > > > + if (arg->index >= bufferCount_) > > + return -EINVAL; > > + > > int ret = lock(fd); > > if (ret < 0) > > return ret;
diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp index 81f9282..e4d534a 100644 --- a/src/v4l2/v4l2_camera_proxy.cpp +++ b/src/v4l2/v4l2_camera_proxy.cpp @@ -588,6 +588,9 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg) if (arg == nullptr) return -EFAULT; + if (arg->index >= bufferCount_) + return -EINVAL; + int ret = lock(fd); if (ret < 0) return ret; @@ -610,6 +613,9 @@ int V4L2CameraProxy::vidioc_qbuf(int fd, struct v4l2_buffer *arg) if (arg == nullptr) return -EFAULT; + if (arg->index >= bufferCount_) + return -EINVAL; + int ret = lock(fd); if (ret < 0) return ret; @@ -639,6 +645,9 @@ int V4L2CameraProxy::vidioc_dqbuf(int fd, struct v4l2_buffer *arg) if (!streaming_) return -EINVAL; + if (arg->index >= bufferCount_) + return -EINVAL; + int ret = lock(fd); if (ret < 0) return ret;
There were no bounds checks for the index argument for VIDIOC_QUERYBUF, VIDIOC_QBUF, and VIDIOC_DQBUF. Add them. Signed-off-by: Paul Elder <paul.elder@ideasonboard.com> --- src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++ 1 file changed, 9 insertions(+)