a7y18lte-ubports/android_kernel_samsung_universal7885
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dfa11d5862
android_kernel_samsung_univ.../drivers/media
History
Sakari Ailus 19a4e46b45 videobuf2-v4l2: Verify planes array in buffer dequeueing 
commit 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab upstream.

When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
which will be dequeued is not known until the buffer has been removed from
the queue. The number of planes is specific to a buffer, not to the queue.

This does lead to the situation where multi-plane buffers may be requested
and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
struct with fewer planes.

__fill_v4l2_buffer() however uses the number of planes from the dequeued
videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
in video_usercopy() in v4l2-ioctl.c)  if the user provided fewer
planes than the dequeued buffer had. Oops!

Fixes: b0e0e1f83d ("[media] media: videobuf2: Prepare to divide videobuf2")

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-05-04 14:48:50 -07:00
..
common
dvb-core media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode 2016-03-03 15:07:13 -08:00
dvb-frontends tda1004x: only update the frontend properties if locked 2016-03-03 15:07:14 -08:00
firewire
i2c adv7511: TX_EDID_PRESENT is still 1 after a disconnect 2016-04-12 09:08:50 -07:00
mmc
pci bttv: Width must be a multiple of 16 when capturing planar formats 2016-04-12 09:08:50 -07:00
platform v4l: vsp1: Set the SRU CTRL0 register when starting the stream 2016-04-20 15:42:09 +09:00
radio [media] radio: Drop owner assignment from i2c_driver 2015-08-11 13:01:08 -03:00
rc rc: sunxi-cir: Initialize the spinlock properly 2016-03-03 15:07:13 -08:00
tuners si2157: return -EINVAL if firmware blob is too big 2016-03-03 15:07:14 -08:00
usb usbvision: fix crash on detecting device with invalid configuration 2016-04-20 15:42:17 +09:00
v4l2-core videobuf2-v4l2: Verify planes array in buffer dequeueing 2016-05-04 14:48:50 -07:00
Kconfig
Makefile
media-device.c
media-devnode.c
media-entity.c [media] media-entity.c: get rid of var length arrays 2015-10-01 18:10:05 -03:00