Check buffer index is in range inside atomisp_qbuf_wrapper() before
using it do index pipe->frame_request_config_id[].
Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
---
drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
index 9cb9685d91bb..d0dd3dbd6f6a 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
@@ -1056,6 +1056,9 @@ static int atomisp_qbuf_wrapper(struct file *file, void *fh, struct v4l2_buffer
struct atomisp_video_pipe *pipe = atomisp_to_video_pipe(vdev);
/* FIXME this abuse of buf->reserved2 comes from the original atomisp buffer handling */
+ if (buf->index >= vdev->queue->num_buffers)
+ return -EINVAL;
+
if (!atomisp_is_vf_pipe(pipe) &&
(buf->reserved2 & ATOMISP_BUFFER_HAS_PER_FRAME_SETTING)) {
/* this buffer will have a per-frame parameter */
--
2.39.0
