Commit 9048b2e1 authored by Sakari Ailus's avatar Sakari Ailus Committed by Mauro Carvalho Chehab
Browse files

media: v4l: ioctl: Validate num_planes before using it 



The for loop to reset the memory of the plane reserved fields runs over
num_planes provided by the user without validating it. Ensure num_planes
is no more than VIDEO_MAX_PLANES before the loop.

Fixes: 4e1e0eb0 ("media: v4l2-ioctl: Zero v4l2_plane_pix_format reserved fields")

Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: default avatarThierry Reding <treding@nvidia.com>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
parent dd91642a

drivers/media/v4l2-core/v4l2-ioctl.c

+8 −0
Original line number Diff line number Diff line
@@ -1551,6 +1551,8 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops, 
		if (unlikely(!ops->vidioc_s_fmt_vid_cap_mplane))

			break;

		CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);

		if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)

			break;

		for (i = 0; i < p->fmt.pix_mp.num_planes; i++)

			CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],

					  bytesperline);
@@ -1582,6 +1584,8 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops, 
		if (unlikely(!ops->vidioc_s_fmt_vid_out_mplane))

			break;

		CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);

		if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)

			break;

		for (i = 0; i < p->fmt.pix_mp.num_planes; i++)

			CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],

					  bytesperline);
@@ -1650,6 +1654,8 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops, 
		if (unlikely(!ops->vidioc_try_fmt_vid_cap_mplane))

			break;

		CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);

		if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)

			break;

		for (i = 0; i < p->fmt.pix_mp.num_planes; i++)

			CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],

					  bytesperline);
@@ -1681,6 +1687,8 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops, 
		if (unlikely(!ops->vidioc_try_fmt_vid_out_mplane))

			break;

		CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);

		if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)

			break;

		for (i = 0; i < p->fmt.pix_mp.num_planes; i++)

			CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],

					  bytesperline);