Commit 9048b2e1 authored by Sakari Ailus's avatar Sakari Ailus Committed by Mauro Carvalho Chehab

media: v4l: ioctl: Validate num_planes before using it

The for loop to reset the memory of the plane reserved fields runs over
num_planes provided by the user without validating it. Ensure num_planes
is no more than VIDEO_MAX_PLANES before the loop.

Fixes: 4e1e0eb0 ("media: v4l2-ioctl: Zero v4l2_plane_pix_format reserved fields")
Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: default avatarThierry Reding <treding@nvidia.com>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
parent dd91642a
......@@ -1551,6 +1551,8 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_s_fmt_vid_cap_mplane))
break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
bytesperline);
......@@ -1582,6 +1584,8 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_s_fmt_vid_out_mplane))
break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
bytesperline);
......@@ -1650,6 +1654,8 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_try_fmt_vid_cap_mplane))
break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
bytesperline);
......@@ -1681,6 +1687,8 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_try_fmt_vid_out_mplane))
break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
bytesperline);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment