Hi Nikhil, First of all, sorry for the delay in answering. I needed some time to really look at this. Anyway, this patch as is is not good enough since it does not handle the case where data_offset is > length and bytesused == 0. However, I think the solution should be done differently. I'll prepare a patch for this and CC it to you so you can take a look at it. Regards, Hans On 06/23/2014 11:45 AM, Nikhil Devshatwar wrote: > verify_length would fail if the user space fills up the data_offset field > and bytesused is left as zero. Correct this. > > If bytesused is not populated, it means bytesused is same as length. > Checking data offset >= bytesused makes sense only if bytesused is valid. > > Signed-off-by: Nikhil Devshatwar <nikhil.nd@xxxxxx> > --- > drivers/media/v4l2-core/videobuf2-core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c > index 7c4489c..369a155 100644 > --- a/drivers/media/v4l2-core/videobuf2-core.c > +++ b/drivers/media/v4l2-core/videobuf2-core.c > @@ -590,7 +590,7 @@ static int __verify_length(struct vb2_buffer *vb, const struct v4l2_buffer *b) > if (b->m.planes[plane].bytesused > length) > return -EINVAL; > > - if (b->m.planes[plane].data_offset > 0 && > + if (b->m.planes[plane].bytesused > 0 && > b->m.planes[plane].data_offset >= > b->m.planes[plane].bytesused) > return -EINVAL; > -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
