From patchwork Wed Jun 24 14:52:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Elder X-Patchwork-Id: 8416 Return-Path: Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 0EBF9609C7 for ; Wed, 24 Jun 2020 16:53:59 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="aXFHeXm+"; dkim-atps=neutral Received: from jade.rasen.tech (unknown [IPv6:2400:4051:61:600:8147:f2a2:a8c6:9087]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id E9E9A2A8; Wed, 24 Jun 2020 16:53:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1593010438; bh=JTCBD0W7YzEbkXc5BhCVTvw3r7+8ZOtn8SCRH6eGFQg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aXFHeXm+z/CsPiQGTTesXbfXjaCpjXqcNhpBeEmOD1vdnwLpZiYER05cV43qf9T6z jWBU2EOeLCjfj0wnUt2lR6SM6e497nyw79MLf32ooYhUydajLcoTtuy6RyXZRP94Jb arSkZi6Vuy/43AsbH6sdW5koboLw9a6gHhNn99B4= From: Paul Elder To: libcamera-devel@lists.libcamera.org Date: Wed, 24 Jun 2020 23:52:52 +0900 Message-Id: <20200624145256.48266-19-paul.elder@ideasonboard.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200624145256.48266-1-paul.elder@ideasonboard.com> References: <20200624145256.48266-1-paul.elder@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v4 18/22] v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2020 14:53:59 -0000 There were no bounds checks for the index argument for VIDIOC_QUERYBUF, VIDIOC_QBUF, and VIDIOC_DQBUF. Add them. Signed-off-by: Paul Elder Reviewed-by: Jacopo Mondi Reviewed-by: Laurent Pinchart --- No change in v4 Changes in v3: - don't check for ownership on querybuf No change in v2 --- src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp index 4c140eb..2aff53e 100644 --- a/src/v4l2/v4l2_camera_proxy.cpp +++ b/src/v4l2/v4l2_camera_proxy.cpp @@ -541,6 +541,9 @@ int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *file, struct v4l2_buffer *a { LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << file->efd(); + if (arg->index >= bufferCount_) + return -EINVAL; + if (!validateBufferType(arg->type) || arg->index >= bufferCount_) return -EINVAL; @@ -557,6 +560,9 @@ int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *file, struct v4l2_buffer *arg) LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = " << arg->index << " fd = " << file->efd(); + if (arg->index >= bufferCount_) + return -EINVAL; + if (!hasOwnership(file)) return -EBUSY; @@ -579,6 +585,9 @@ int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *file, struct v4l2_buffer *arg) { LOG(V4L2Compat, Debug) << "Servicing vidioc_dqbuf fd = " << file->efd(); + if (arg->index >= bufferCount_) + return -EINVAL; + if (!hasOwnership(file)) return -EBUSY;