Le mardi 05 juin 2018 à 19:46 -0400, Nicolas Dufresne a écrit :
> Just like for ISOC, validate the decoded BULK buffer size when possible.
> This avoids sending corrupted or partial buffers to userspace, which may
> lead to application crash or run-time failure.
>
> Signed-off-by: Nicolas Dufresne <nicolas.dufresne@xxxxxxxxxxxxx>
Ping. That was a year and a half ago and still applies.
> ---
> drivers/media/usb/uvc/uvc_video.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
> index aa0082fe5833..025ffac196f3 100644
> --- a/drivers/media/usb/uvc/uvc_video.c
> +++ b/drivers/media/usb/uvc/uvc_video.c
> @@ -1234,6 +1234,7 @@ static void uvc_video_next_buffers(struct uvc_streaming *stream,
> *meta_buf = uvc_queue_next_buffer(&stream->meta.queue,
> *meta_buf);
> }
> + uvc_video_validate_buffer(stream, *video_buf);
> *video_buf = uvc_queue_next_buffer(&stream->queue, *video_buf);
> }
>
> @@ -1258,10 +1259,8 @@ static void uvc_video_decode_isoc(struct urb *urb, struct uvc_streaming *stream,
> do {
> ret = uvc_video_decode_start(stream, buf, mem,
> urb->iso_frame_desc[i].actual_length);
> - if (ret == -EAGAIN) {
> - uvc_video_validate_buffer(stream, buf);
> + if (ret == -EAGAIN)
> uvc_video_next_buffers(stream, &buf, &meta_buf);
> - }
> } while (ret == -EAGAIN);
>
> if (ret < 0)
> @@ -1277,10 +1276,8 @@ static void uvc_video_decode_isoc(struct urb *urb, struct uvc_streaming *stream,
> uvc_video_decode_end(stream, buf, mem,
> urb->iso_frame_desc[i].actual_length);
>
> - if (buf->state == UVC_BUF_STATE_READY) {
> - uvc_video_validate_buffer(stream, buf);
> + if (buf->state == UVC_BUF_STATE_READY)
> uvc_video_next_buffers(stream, &buf, &meta_buf);
> - }
> }
> }
>
Attachment:
signature.asc
Description: This is a digitally signed message part
