verify_length would fail if the user space fills up the data_offset field and bytesused is left as zero. Correct this. If bytesused is not populated, it means bytesused is same as length. Checking data offset >= bytesused makes sense only if bytesused is valid. Signed-off-by: Nikhil Devshatwar <nikhil.nd@xxxxxx> --- drivers/media/v4l2-core/videobuf2-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c index 7c4489c..369a155 100644 --- a/drivers/media/v4l2-core/videobuf2-core.c +++ b/drivers/media/v4l2-core/videobuf2-core.c @@ -590,7 +590,7 @@ static int __verify_length(struct vb2_buffer *vb, const struct v4l2_buffer *b) if (b->m.planes[plane].bytesused > length) return -EINVAL; - if (b->m.planes[plane].data_offset > 0 && + if (b->m.planes[plane].bytesused > 0 && b->m.planes[plane].data_offset >= b->m.planes[plane].bytesused) return -EINVAL; -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
