omap24xxcam: potential buffer overflow
Commit Message
The previous loop goes until last == VIDEO_MAX_FRAME, so this could
potentially go one past the end of the loop.
Signed-off-by: Dan Carpenter <error27@gmail.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Comments
Dan Carpenter wrote:
> The previous loop goes until last == VIDEO_MAX_FRAME, so this could
> potentially go one past the end of the loop.
Hi Dan,
Thanks for the patch!
> Signed-off-by: Dan Carpenter <error27@gmail.com>
>
> diff --git a/drivers/media/video/omap24xxcam.c b/drivers/media/video/omap24xxcam.c
> index 142c327..bedbee9 100644
> --- a/drivers/media/video/omap24xxcam.c
> +++ b/drivers/media/video/omap24xxcam.c
> @@ -1404,7 +1404,7 @@ static int omap24xxcam_mmap_buffers(struct file *file,
> }
>
> size = 0;
> - for (i = first; i <= last; i++) {
> + for (i = first; i <= last && i < VIDEO_MAX_FRAME; i++) {
> struct videobuf_dmabuf *dma = videobuf_to_dma(vbq->bufs[i]);
>
> for (j = 0; j < dma->sglen; j++) {
That function is quite an ugly piece of code... This patch fixes an
obvious bug in it.
Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com>
@@ -1404,7 +1404,7 @@ static int omap24xxcam_mmap_buffers(struct file *file,
}
size = 0;
- for (i = first; i <= last; i++) {
+ for (i = first; i <= last && i < VIDEO_MAX_FRAME; i++) {
struct videobuf_dmabuf *dma = videobuf_to_dma(vbq->bufs[i]);
for (j = 0; j < dma->sglen; j++) {