From 609036a9e66f53d4d863efa448b5c4e4ac80f223 Mon Sep 17 00:00:00 2001
From: Paul Elder <paul.elder@ideasonboard.com>
Date: Tue, 16 Jun 2020 19:35:50 +0900
Subject: v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf,
 dqbuf

There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 src/v4l2/v4l2_camera_proxy.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'src/v4l2')

diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
index a222795d..941237c3 100644
--- a/src/v4l2/v4l2_camera_proxy.cpp
+++ b/src/v4l2/v4l2_camera_proxy.cpp
@@ -539,6 +539,9 @@ int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *file, struct v4l2_buffer *a
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!validateBufferType(arg->type) ||
 	    arg->index >= bufferCount_)
 		return -EINVAL;
@@ -555,6 +558,9 @@ int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = "
 			       << arg->index << " fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!hasOwnership(file))
 		return -EBUSY;
 
@@ -577,6 +583,9 @@ int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_dqbuf fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!hasOwnership(file))
 		return -EBUSY;
 
-- 
cgit v1.2.1