diff options
| author | Mauro Carvalho Chehab <mchehab@infradead.org> | 2007-10-05 12:26:27 -0700 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@infradead.org> | 2007-10-05 12:26:27 -0700 |
| commit | 161653daccfd120c87b56249ac18d81e05b01ddd (patch) | |
| tree | bfdc332ec53e918d9ba9ec1b8407986120538991 | |
| parent | 2c620029905d1d8a6b7a1d1861c12feaf3b4087e (diff) | |
| download | mediapointer-dvb-s2-161653daccfd120c87b56249ac18d81e05b01ddd.tar.gz mediapointer-dvb-s2-161653daccfd120c87b56249ac18d81e05b01ddd.tar.bz2 | |
V4L: videobuf-core.c avoid NULL dereferences in videobuf-core
From: Brandon Philips <bphilips@suse.de>
The return value of videobuf_alloc() is unchecked but this function will
return NULL on an error. Check for NULL and make videobuf_reqbufs()
return the number of successfully allocated buffers.
Also, fix saa7146_video.c and bttv-driver.c to use this returned
buffer count.
Tested against the vivi driver. Not tested against saa7146 or bt8xx
devices.
Signed-off-by: Brandon Philips <bphilips@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
| -rw-r--r-- | linux/drivers/media/common/saa7146_video.c | 2 | ||||
| -rw-r--r-- | linux/drivers/media/video/bt8xx/bttv-driver.c | 2 | ||||
| -rw-r--r-- | linux/drivers/media/video/videobuf-core.c | 18 |
3 files changed, 17 insertions, 5 deletions
diff --git a/linux/drivers/media/common/saa7146_video.c b/linux/drivers/media/common/saa7146_video.c index c2624b363..67d79a081 100644 --- a/linux/drivers/media/common/saa7146_video.c +++ b/linux/drivers/media/common/saa7146_video.c @@ -1213,6 +1213,8 @@ int saa7146_video_do_ioctl(struct inode *inode, struct file *file, unsigned int mutex_unlock(&q->lock); return err; } + + gbuffers = err; memset(mbuf,0,sizeof(*mbuf)); mbuf->frames = gbuffers; mbuf->size = gbuffers * gbufsize; diff --git a/linux/drivers/media/video/bt8xx/bttv-driver.c b/linux/drivers/media/video/bt8xx/bttv-driver.c index 99cb475cd..4cc02c8e1 100644 --- a/linux/drivers/media/video/bt8xx/bttv-driver.c +++ b/linux/drivers/media/video/bt8xx/bttv-driver.c @@ -3113,6 +3113,8 @@ static int bttv_do_ioctl(struct inode *inode, struct file *file, V4L2_MEMORY_MMAP); if (retval < 0) goto fh_unlock_and_return; + + gbuffers = retval; memset(mbuf,0,sizeof(*mbuf)); mbuf->frames = gbuffers; mbuf->size = gbuffers * gbufsize; diff --git a/linux/drivers/media/video/videobuf-core.c b/linux/drivers/media/video/videobuf-core.c index efc389f58..d7234d626 100644 --- a/linux/drivers/media/video/videobuf-core.c +++ b/linux/drivers/media/video/videobuf-core.c @@ -330,7 +330,7 @@ int videobuf_reqbufs(struct videobuf_queue *q, goto done; } - req->count = count; + req->count = retval; done: mutex_unlock(&q->lock); @@ -699,7 +699,7 @@ int videobuf_read_start(struct videobuf_queue *q) { enum v4l2_field field; unsigned long flags=0; - int count = 0, size = 0; + unsigned int count = 0, size = 0; int err, i; q->ops->buf_setup(q,&count,&size); @@ -710,9 +710,11 @@ int videobuf_read_start(struct videobuf_queue *q) size = PAGE_ALIGN(size); err = videobuf_mmap_setup(q, count, size, V4L2_MEMORY_USERPTR); - if (err) + if (err < 0) return err; + count = err; + for (i = 0; i < count; i++) { field = videobuf_next_field(q); err = q->ops->buf_prepare(q,q->bufs[i],field); @@ -877,6 +879,9 @@ int videobuf_mmap_setup(struct videobuf_queue *q, for (i = 0; i < bcount; i++) { q->bufs[i] = videobuf_alloc(q); + if (q->bufs[i] == NULL) + break; + q->bufs[i]->i = i; q->bufs[i]->input = UNSET; q->bufs[i]->memory = memory; @@ -892,10 +897,13 @@ int videobuf_mmap_setup(struct videobuf_queue *q, } } + if (!i) + return -ENOMEM; + dprintk(1,"mmap setup: %d buffers, %d bytes each\n", - bcount,bsize); + i, bsize); - return 0; + return i; } int videobuf_mmap_free(struct videobuf_queue *q) |