diff options
author | Paul Elder <paul.elder@ideasonboard.com> | 2020-06-16 19:35:50 +0900 |
---|---|---|
committer | Paul Elder <paul.elder@ideasonboard.com> | 2020-06-25 23:47:13 +0900 |
commit | 609036a9e66f53d4d863efa448b5c4e4ac80f223 (patch) | |
tree | aab3a5b5afe9160957052b1b42c4f6b6b03bc90d | |
parent | 9909ce33f91b4ce7e9c61a28dbf91b7b24fd1161 (diff) |
v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf
There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.
Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-rw-r--r-- | src/v4l2/v4l2_camera_proxy.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp index a222795d..941237c3 100644 --- a/src/v4l2/v4l2_camera_proxy.cpp +++ b/src/v4l2/v4l2_camera_proxy.cpp @@ -539,6 +539,9 @@ int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *file, struct v4l2_buffer *a { LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << file->efd(); + if (arg->index >= bufferCount_) + return -EINVAL; + if (!validateBufferType(arg->type) || arg->index >= bufferCount_) return -EINVAL; @@ -555,6 +558,9 @@ int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *file, struct v4l2_buffer *arg) LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = " << arg->index << " fd = " << file->efd(); + if (arg->index >= bufferCount_) + return -EINVAL; + if (!hasOwnership(file)) return -EBUSY; @@ -577,6 +583,9 @@ int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *file, struct v4l2_buffer *arg) { LOG(V4L2Compat, Debug) << "Servicing vidioc_dqbuf fd = " << file->efd(); + if (arg->index >= bufferCount_) + return -EINVAL; + if (!hasOwnership(file)) return -EBUSY; |