[libcamera-devel] [PATCH 1/2] libcamera: v4l2_videodevice: Check plane count when setting format
Laurent Pinchart
laurent.pinchart at ideasonboard.com
Wed Oct 21 04:47:43 CEST 2020
When setting (or trying) a format with a multiplanar device, the
V4L2VideoDevice::trySetFormatMeta() function iterates over all planes
available in the V4L2DeviceFormat structure. The caller is responsible
for setting the plane count, and failure to do so properly may result in
memory corruption. This can lead to a crash way after the function
returns, making the problem difficult to debug.
As the issue is caused by a bug in the caller, use an assertion to catch
it.
Signed-off-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
---
src/libcamera/v4l2_videodevice.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libcamera/v4l2_videodevice.cpp b/src/libcamera/v4l2_videodevice.cpp
index 16162e1edba3..3ba9e5ba134a 100644
--- a/src/libcamera/v4l2_videodevice.cpp
+++ b/src/libcamera/v4l2_videodevice.cpp
@@ -861,6 +861,8 @@ int V4L2VideoDevice::trySetFormatMultiplane(V4L2DeviceFormat *format, bool set)
pix->num_planes = format->planesCount;
pix->field = V4L2_FIELD_NONE;
+ ASSERT(pix->num_planes <= ARRAY_SIZE(pix->plane_fmt));
+
for (unsigned int i = 0; i < pix->num_planes; ++i) {
pix->plane_fmt[i].bytesperline = format->planes[i].bpl;
pix->plane_fmt[i].sizeimage = format->planes[i].size;
--
Regards,
Laurent Pinchart
More information about the libcamera-devel
mailing list