From patchwork Wed Dec 15 16:11:39 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Ospite X-Patchwork-Id: 5065 Return-path: Envelope-to: mchehab@gaivota Delivery-date: Wed, 15 Dec 2010 14:13:10 -0200 Received: from mchehab by gaivota with local (Exim 4.72) (envelope-from ) id 1PStyX-0005fb-Rz for mchehab@gaivota; Wed, 15 Dec 2010 14:13:10 -0200 Received: from casper.infradead.org [85.118.1.10] by gaivota with IMAP (fetchmail-6.3.17) for (single-drop); Wed, 15 Dec 2010 14:13:09 -0200 (BRST) Received: from vger.kernel.org ([209.132.180.67]) by casper.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1PStxR-0003ce-Q4; Wed, 15 Dec 2010 16:12:02 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752871Ab0LOQL7 (ORCPT + 1 other); Wed, 15 Dec 2010 11:11:59 -0500 Received: from smtp209.alice.it ([82.57.200.105]:47287 "EHLO smtp209.alice.it" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751778Ab0LOQL6 (ORCPT ); Wed, 15 Dec 2010 11:11:58 -0500 Received: from jcn (82.61.82.13) by smtp209.alice.it (8.5.124.08) (authenticated as fospite@alice.it) id 4C1A27590CBB9451 for linux-media@vger.kernel.org; Wed, 15 Dec 2010 17:11:57 +0100 Date: Wed, 15 Dec 2010 17:11:39 +0100 From: Antonio Ospite To: linux-media@vger.kernel.org Subject: Question about libv4lconvert. Message-Id: <20101215171139.b6c1f03a.ospite@studenti.unina.it> X-Mailer: Sylpheed 3.0.2 (GTK+ 2.20.1; x86_64-pc-linux-gnu) X-Face: z*RaLf`X<@C75u6Ig9}{oW$H; 1_\2t5)({*|jhM/Vb; ]yA5\I~93>J<_`<4)A{':UrE Mime-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Sender: Mauro Carvalho Chehab Hi, I am taking a look at libv4lconvert, and I have a question about the logic in v4lconvert_convert_pixfmt(), in some conversion switches there is code like this: case V4L2_PIX_FMT_GREY: switch (dest_pix_fmt) { case V4L2_PIX_FMT_RGB24: case V4L2_PIX_FMT_BGR24: v4lconvert_grey_to_rgb24(src, dest, width, height); break; case V4L2_PIX_FMT_YUV420: case V4L2_PIX_FMT_YVU420: v4lconvert_grey_to_yuv420(src, dest, fmt); break; } if (src_size < (width * height)) { V4LCONVERT_ERR("short grey data frame\n"); errno = EPIPE; result = -1; } break; However the conversion routines which are going to be called seem to assume that the buffers, in particular the source buffer, are of the correct full frame size when looping over them. My question is: shouldn't the size check now at the end of the case block be at the _beginning_ of it instead, so to detect a short frame before conversion and avoid a possible out of bound access inside the conversion routine? Some patches to show what I am saying: Regards, Antonio diff --git a/lib/libv4lconvert/libv4lconvert.c b/lib/libv4lconvert/libv4lconvert.c index 26a0978..46e6500 100644 --- a/lib/libv4lconvert/libv4lconvert.c +++ b/lib/libv4lconvert/libv4lconvert.c @@ -854,7 +854,7 @@ static int v4lconvert_convert_pixfmt(struct v4lconvert_data *data, if (src_size < (width * height)) { V4LCONVERT_ERR("short grey data frame\n"); errno = EPIPE; - result = -1; + return -1; } break; case V4L2_PIX_FMT_RGB565: And: diff --git a/lib/libv4lconvert/libv4lconvert.c b/lib/libv4lconvert/libv4lconvert.c index 46e6500..a1a4858 100644 --- a/lib/libv4lconvert/libv4lconvert.c +++ b/lib/libv4lconvert/libv4lconvert.c @@ -841,6 +841,11 @@ static int v4lconvert_convert_pixfmt(struct v4lconvert_data *data, break; case V4L2_PIX_FMT_GREY: + if (src_size < (width * height)) { + V4LCONVERT_ERR("short grey data frame\n"); + errno = EPIPE; + return -1; + } switch (dest_pix_fmt) { case V4L2_PIX_FMT_RGB24: case V4L2_PIX_FMT_BGR24: @@ -851,11 +856,6 @@ static int v4lconvert_convert_pixfmt(struct v4lconvert_data *data, v4lconvert_grey_to_yuv420(src, dest, fmt); break; } - if (src_size < (width * height)) { - V4LCONVERT_ERR("short grey data frame\n"); - errno = EPIPE; - return -1; - } break; case V4L2_PIX_FMT_RGB565: switch (dest_pix_fmt) {