summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Elder <paul.elder@ideasonboard.com>2020-06-16 19:35:50 +0900
committerPaul Elder <paul.elder@ideasonboard.com>2020-06-25 23:47:13 +0900
commit609036a9e66f53d4d863efa448b5c4e4ac80f223 (patch)
treeaab3a5b5afe9160957052b1b42c4f6b6b03bc90d
parent9909ce33f91b4ce7e9c61a28dbf91b7b24fd1161 (diff)
v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf
There were no bounds checks for the index argument for VIDIOC_QUERYBUF, VIDIOC_QBUF, and VIDIOC_DQBUF. Add them. Signed-off-by: Paul Elder <paul.elder@ideasonboard.com> Reviewed-by: Jacopo Mondi <jacopo@jmondi.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-rw-r--r--src/v4l2/v4l2_camera_proxy.cpp9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
index a222795d..941237c3 100644
--- a/src/v4l2/v4l2_camera_proxy.cpp
+++ b/src/v4l2/v4l2_camera_proxy.cpp
@@ -539,6 +539,9 @@ int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *file, struct v4l2_buffer *a
{
LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << file->efd();
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
if (!validateBufferType(arg->type) ||
arg->index >= bufferCount_)
return -EINVAL;
@@ -555,6 +558,9 @@ int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)
LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = "
<< arg->index << " fd = " << file->efd();
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
if (!hasOwnership(file))
return -EBUSY;
@@ -577,6 +583,9 @@ int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)
{
LOG(V4L2Compat, Debug) << "Servicing vidioc_dqbuf fd = " << file->efd();
+ if (arg->index >= bufferCount_)
+ return -EINVAL;
+
if (!hasOwnership(file))
return -EBUSY;