[libcamera-devel] [PATCH 14/15] v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf
Jacopo Mondi
jacopo at jmondi.org
Wed Jun 17 17:37:40 CEST 2020
Hi Paul,
On Tue, Jun 16, 2020 at 10:12:43PM +0900, Paul Elder wrote:
> There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
> VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.
>
Seems reasonable!
Reviewed-by: Jacopo Mondi <jacopo at jmondi.org>
Thanks
j
> Signed-off-by: Paul Elder <paul.elder at ideasonboard.com>
> ---
> src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
> index 81f9282..e4d534a 100644
> --- a/src/v4l2/v4l2_camera_proxy.cpp
> +++ b/src/v4l2/v4l2_camera_proxy.cpp
> @@ -588,6 +588,9 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg)
> if (arg == nullptr)
> return -EFAULT;
>
> + if (arg->index >= bufferCount_)
> + return -EINVAL;
> +
> int ret = lock(fd);
> if (ret < 0)
> return ret;
> @@ -610,6 +613,9 @@ int V4L2CameraProxy::vidioc_qbuf(int fd, struct v4l2_buffer *arg)
> if (arg == nullptr)
> return -EFAULT;
>
> + if (arg->index >= bufferCount_)
> + return -EINVAL;
> +
> int ret = lock(fd);
> if (ret < 0)
> return ret;
> @@ -639,6 +645,9 @@ int V4L2CameraProxy::vidioc_dqbuf(int fd, struct v4l2_buffer *arg)
> if (!streaming_)
> return -EINVAL;
>
> + if (arg->index >= bufferCount_)
> + return -EINVAL;
> +
> int ret = lock(fd);
> if (ret < 0)
> return ret;
> --
> 2.27.0
>
> _______________________________________________
> libcamera-devel mailing list
> libcamera-devel at lists.libcamera.org
> https://lists.libcamera.org/listinfo/libcamera-devel
More information about the libcamera-devel
mailing list