From e9463449049c78b6b1c61410082a5339338b2e81 Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Wed, 21 Oct 2020 05:02:59 +0300 Subject: libcamera: v4l2_videodevice: Check plane count when setting format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When setting (or trying) a format with a multiplanar device, the V4L2VideoDevice::trySetFormatMeta() function iterates over all planes available in the V4L2DeviceFormat structure. The caller is responsible for setting the plane count, and failure to do so properly may result in memory corruption. This can lead to a crash way after the function returns, making the problem difficult to debug. As the issue is caused by a bug in the caller, use an assertion to catch it. Signed-off-by: Laurent Pinchart Reviewed-by: Niklas Söderlund Reviewed-by: Kieran Bingham --- src/libcamera/v4l2_videodevice.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/libcamera/v4l2_videodevice.cpp b/src/libcamera/v4l2_videodevice.cpp index d07c3530..ac3c8c7d 100644 --- a/src/libcamera/v4l2_videodevice.cpp +++ b/src/libcamera/v4l2_videodevice.cpp @@ -870,6 +870,8 @@ int V4L2VideoDevice::trySetFormatMultiplane(V4L2DeviceFormat *format, bool set) pix->num_planes = format->planesCount; pix->field = V4L2_FIELD_NONE; + ASSERT(pix->num_planes <= ARRAY_SIZE(pix->plane_fmt)); + for (unsigned int i = 0; i < pix->num_planes; ++i) { pix->plane_fmt[i].bytesperline = format->planes[i].bpl; pix->plane_fmt[i].sizeimage = format->planes[i].size; -- cgit v1.2.1