Le mardi 05 juin 2018 à 19:46 -0400, Nicolas Dufresne a écrit : > Just like for ISOC, validate the decoded BULK buffer size when possible. > This avoids sending corrupted or partial buffers to userspace, which may > lead to application crash or run-time failure. > > Signed-off-by: Nicolas Dufresne <nicolas.dufresne@xxxxxxxxxxxxx> Ping. That was a year and a half ago and still applies. > --- > drivers/media/usb/uvc/uvc_video.c | 9 +++------ > 1 file changed, 3 insertions(+), 6 deletions(-) > > diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c > index aa0082fe5833..025ffac196f3 100644 > --- a/drivers/media/usb/uvc/uvc_video.c > +++ b/drivers/media/usb/uvc/uvc_video.c > @@ -1234,6 +1234,7 @@ static void uvc_video_next_buffers(struct uvc_streaming *stream, > *meta_buf = uvc_queue_next_buffer(&stream->meta.queue, > *meta_buf); > } > + uvc_video_validate_buffer(stream, *video_buf); > *video_buf = uvc_queue_next_buffer(&stream->queue, *video_buf); > } > > @@ -1258,10 +1259,8 @@ static void uvc_video_decode_isoc(struct urb *urb, struct uvc_streaming *stream, > do { > ret = uvc_video_decode_start(stream, buf, mem, > urb->iso_frame_desc[i].actual_length); > - if (ret == -EAGAIN) { > - uvc_video_validate_buffer(stream, buf); > + if (ret == -EAGAIN) > uvc_video_next_buffers(stream, &buf, &meta_buf); > - } > } while (ret == -EAGAIN); > > if (ret < 0) > @@ -1277,10 +1276,8 @@ static void uvc_video_decode_isoc(struct urb *urb, struct uvc_streaming *stream, > uvc_video_decode_end(stream, buf, mem, > urb->iso_frame_desc[i].actual_length); > > - if (buf->state == UVC_BUF_STATE_READY) { > - uvc_video_validate_buffer(stream, buf); > + if (buf->state == UVC_BUF_STATE_READY) > uvc_video_next_buffers(stream, &buf, &meta_buf); > - } > } > } >
Attachment:
signature.asc
Description: This is a digitally signed message part