From patchwork Wed Mar 10 10:57:03 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 2904 Return-path: Envelope-to: mchehab@infradead.org Delivery-date: Wed, 10 Mar 2010 10:57:45 +0000 Received: from bombadil.infradead.org [18.85.46.34] by pedra with IMAP (fetchmail-6.3.6) for (single-drop); Wed, 10 Mar 2010 07:58:36 -0300 (BRT) Received: from vger.kernel.org ([209.132.180.67]) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1NpJbl-00024i-4w; Wed, 10 Mar 2010 10:57:45 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756250Ab0CJK5V (ORCPT + 1 other); Wed, 10 Mar 2010 05:57:21 -0500 Received: from mail-wy0-f174.google.com ([74.125.82.174]:65071 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755199Ab0CJK5V (ORCPT ); Wed, 10 Mar 2010 05:57:21 -0500 Received: by wyb38 with SMTP id 38so35037wyb.19 for ; Wed, 10 Mar 2010 02:57:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=hKwI/7o9YGUuylDGvVgLHpIwjapElgYCk0MaSFnn+v4=; b=AvggY1Xvt3cGYJXNYVRkH7yRfMr7WYE1R5l1ICUmrwiwxgLXmRmkThSimhRB4y9Krd bICVGA/5/lCTIugH3zw6TZQbql054+XaY1k1+ZZzp1i6ObfIMNtDH1wbj6vqorTqCxhz G7K3gVkT9yHIc/B3AQFh00a9eNov7le1FGzlk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=E8fkJFfc+t/G5hywtMCxNfU/RE1Dx9rkGRrcwMOA+8FRvdnPdrRvGrTuZ3vsXu+ZdZ O7rYHN3iSP8/3IYqTM5sby6U6MjXNYMyvRWv7ucHEs2UdLSFbDzV+Y6KHeU3wldck/xd NV3pQKT9/HziqDqzyl7bIxg9cvmAwITdhraqk= Received: by 10.216.86.210 with SMTP id w60mr795306wee.48.1268218639175; Wed, 10 Mar 2010 02:57:19 -0800 (PST) Received: from bicker ([196.43.68.85]) by mx.google.com with ESMTPS id t12sm20794203gvd.22.2010.03.10.02.57.12 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 10 Mar 2010 02:57:18 -0800 (PST) Date: Wed, 10 Mar 2010 13:57:03 +0300 From: Dan Carpenter To: linux-media@vger.kernel.org Cc: Mauro Carvalho Chehab , Laurent Pinchart , Greg Kroah-Hartman , Trent Piepho , Hans Verkuil , kernel-janitors@vger.kernel.org, sakari.ailus@nokia.com Subject: [patch] omap24xxcam: potential buffer overflow Message-ID: <20100310105703.GD6321@bicker> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The previous loop goes until last == VIDEO_MAX_FRAME, so this could potentially go one past the end of the loop. Signed-off-by: Dan Carpenter Acked-by: Sakari Ailus --- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/video/omap24xxcam.c b/drivers/media/video/omap24xxcam.c index 142c327..bedbee9 100644 --- a/drivers/media/video/omap24xxcam.c +++ b/drivers/media/video/omap24xxcam.c @@ -1404,7 +1404,7 @@ static int omap24xxcam_mmap_buffers(struct file *file, } size = 0; - for (i = first; i <= last; i++) { + for (i = first; i <= last && i < VIDEO_MAX_FRAME; i++) { struct videobuf_dmabuf *dma = videobuf_to_dma(vbq->bufs[i]); for (j = 0; j < dma->sglen; j++) {