[libcamera-devel] [PATCH 14/15] v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf
Paul Elder
paul.elder at ideasonboard.com
Tue Jun 16 15:12:43 CEST 2020
There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.
Signed-off-by: Paul Elder <paul.elder at ideasonboard.com>
---
src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
index 81f9282..e4d534a 100644
--- a/src/v4l2/v4l2_camera_proxy.cpp
+++ b/src/v4l2/v4l2_camera_proxy.cpp
@@ -588,6 +588,9 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg)
if (arg == nullptr)
return -EFAULT;
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
int ret = lock(fd);
if (ret < 0)
return ret;
@@ -610,6 +613,9 @@ int V4L2CameraProxy::vidioc_qbuf(int fd, struct v4l2_buffer *arg)
if (arg == nullptr)
return -EFAULT;
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
int ret = lock(fd);
if (ret < 0)
return ret;
@@ -639,6 +645,9 @@ int V4L2CameraProxy::vidioc_dqbuf(int fd, struct v4l2_buffer *arg)
if (!streaming_)
return -EINVAL;
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
int ret = lock(fd);
if (ret < 0)
return ret;
--
2.27.0
More information about the libcamera-devel
mailing list