[libcamera-devel,v4,18/22] v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf
diff mbox series

Message ID 20200624145256.48266-19-paul.elder@ideasonboard.com
State Accepted
Headers show
Series
  • Support v4l2-compliance
Related show

Commit Message

Paul Elder June 24, 2020, 2:52 p.m. UTC 
There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

---
No change in v4

Changes in v3:
- don't check for ownership on querybuf

No change in v2
---
 src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

Patch
diff mbox series 

diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
index 4c140eb..2aff53e 100644
--- a/src/v4l2/v4l2_camera_proxy.cpp
+++ b/src/v4l2/v4l2_camera_proxy.cpp
@@ -541,6 +541,9 @@  int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *file, struct v4l2_buffer *a
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!validateBufferType(arg->type) ||
 	    arg->index >= bufferCount_)
 		return -EINVAL;
@@ -557,6 +560,9 @@  int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = "
 			       << arg->index << " fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!hasOwnership(file))
 		return -EBUSY;
 
@@ -579,6 +585,9 @@  int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_dqbuf fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!hasOwnership(file))
 		return -EBUSY;