Hi Michael, Thanks for the patch. On Thursday 04 August 2011 17:40:37 Michael Jones wrote: > Add buffer length to sanity checks for QBUF. > > Signed-off-by: Michael Jones <michael.jones@xxxxxxxxxxxxxxxx> > --- > drivers/media/video/omap3isp/ispqueue.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/drivers/media/video/omap3isp/ispqueue.c > b/drivers/media/video/omap3isp/ispqueue.c index 9c31714..4f6876f 100644 > --- a/drivers/media/video/omap3isp/ispqueue.c > +++ b/drivers/media/video/omap3isp/ispqueue.c > @@ -867,6 +867,9 @@ int omap3isp_video_queue_qbuf(struct isp_video_queue > *queue, if (buf->state != ISP_BUF_STATE_IDLE) > goto done; > > + if (vbuf->length < buf->vbuf.length) > + goto done; > + The vbuf->length value passed from userspace isn't used by the driver, so I'm not sure if verifying it is really useful. We verify the memory itself instead, to make sure that enough pages can be accessed. The application can always lie about the length, so we can't relying on it anyway. > if (vbuf->memory == V4L2_MEMORY_USERPTR && > vbuf->m.userptr != buf->vbuf.m.userptr) { > isp_video_buffer_cleanup(buf); -- Regards, Laurent Pinchart -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html