On 06/22/2014 12:47 PM, Nikhil Devshatwar wrote:
> verify_planes would fail if the user space fills up the data_offset field
> and bytesused is left as zero. Correct this.
>
> Checking for data_offset > bytesused is not correct as it might fail some of
> the valid use cases. e.g. when working with SEQ_TB buffers, for bottom field,
> data_offset can be high but it can have less bytesused.
>
> The real check should be to verify that all the bytesused after data_offset
> fit withing the length of the plane.
>
> Signed-off-by: Nikhil Devshatwar <nikhil.nd@xxxxxx>
> ---
> drivers/media/v4l2-core/videobuf2-core.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
> index 7c4489c..9a0ccb6 100644
> --- a/drivers/media/v4l2-core/videobuf2-core.c
> +++ b/drivers/media/v4l2-core/videobuf2-core.c
> @@ -587,12 +587,9 @@ static int __verify_length(struct vb2_buffer *vb, const struct v4l2_buffer *b)
> ? b->m.planes[plane].length
> : vb->v4l2_planes[plane].length;
>
> - if (b->m.planes[plane].bytesused > length)
> - return -EINVAL;
> -
> - if (b->m.planes[plane].data_offset > 0 &&
> - b->m.planes[plane].data_offset >=
> - b->m.planes[plane].bytesused)
> + if (b->m.planes[plane].bytesused > 0 &&
> + b->m.planes[plane].data_offset +
> + b->m.planes[plane].bytesused > length)
Nacked-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
bytesused *includes* data_offset. So the effective payload is
'bytesused - data_offset' starting at offset 'data_offset' from the
start of the buffer.
So your new condition is wrong.
Regards,
Hans
> return -EINVAL;
> }
> } else {
>
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
