in __qbuf_dmabuf, we check the dmabuf size against the plane size. In the monoplanar case, this length was not copied from the userspace and we were getting a random value. Signed-off-by: Kevin Grandemange <grandemange.kevin@xxxxxxxxx> --- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index 8fd84a6..af0e01c 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -482,7 +482,8 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user return -EFAULT; break; case V4L2_MEMORY_DMABUF: - if (get_user(kp->m.fd, &up->m.fd)) + if (get_user(kp->length, &up->length) || + get_user(kp->m.fd, &up->m.fd)) return -EFAULT; break; } -- 2.7.0.rc3 -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
