From 4177905e93cd9f2d1de81831d10fd9137cac3ad6 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Wed, 5 Mar 2008 20:24:43 +0000 Subject: V4L1 - fix v4l_compat_translate_ioctl possible NULL deref From: Cyrill Gorcunov There are possible NULL pointer derefs in case of kzalloc fails so fix them. Signed-off-by: Cyrill Gorcunov Signed-off-by: Mauro Carvalho Chehab --- linux/drivers/media/video/v4l1-compat.c | 50 +++++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 9 deletions(-) (limited to 'linux') diff --git a/linux/drivers/media/video/v4l1-compat.c b/linux/drivers/media/video/v4l1-compat.c index 969b539a6..1931ba70b 100644 --- a/linux/drivers/media/video/v4l1-compat.c +++ b/linux/drivers/media/video/v4l1-compat.c @@ -315,7 +315,11 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct video_capability *cap = arg; - cap2 = kzalloc(sizeof(*cap2),GFP_KERNEL); + cap2 = kzalloc(sizeof(*cap2), GFP_KERNEL); + if (!cap2) { + err = -ENOMEM; + break; + } memset(cap, 0, sizeof(*cap)); memset(&fbuf2, 0, sizeof(fbuf2)); @@ -438,7 +442,11 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct video_window *win = arg; - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } memset(win,0,sizeof(*win)); fmt2->type = V4L2_BUF_TYPE_VIDEO_OVERLAY; @@ -476,7 +484,11 @@ v4l_compat_translate_ioctl(struct inode *inode, struct video_window *win = arg; int err1,err2; - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; drv(inode, file, VIDIOC_STREAMOFF, &fmt2->type); err1 = drv(inode, file, VIDIOC_G_FMT, fmt2); @@ -598,6 +610,12 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct video_picture *pict = arg; + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } + pict->brightness = get_v4l_control(inode, file, V4L2_CID_BRIGHTNESS,drv); pict->hue = get_v4l_control(inode, file, @@ -609,7 +627,6 @@ v4l_compat_translate_ioctl(struct inode *inode, pict->whiteness = get_v4l_control(inode, file, V4L2_CID_WHITENESS, drv); - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; err = drv(inode, file, VIDIOC_G_FMT, fmt2); if (err < 0) { @@ -629,6 +646,11 @@ v4l_compat_translate_ioctl(struct inode *inode, struct video_picture *pict = arg; int mem_err = 0, ovl_err = 0; + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } memset(&fbuf2, 0, sizeof(fbuf2)); set_v4l_control(inode, file, @@ -648,7 +670,6 @@ v4l_compat_translate_ioctl(struct inode *inode, * different pixel formats for memory vs overlay. */ - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; err = drv(inode, file, VIDIOC_G_FMT, fmt2); /* If VIDIOC_G_FMT failed, then the driver likely doesn't @@ -908,7 +929,11 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct video_mmap *mm = arg; - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } memset(&buf2,0,sizeof(buf2)); fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; @@ -1004,7 +1029,11 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct vbi_format *fmt = arg; - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE; err = drv(inode, file, VIDIOC_G_FMT, fmt2); @@ -1036,8 +1065,11 @@ v4l_compat_translate_ioctl(struct inode *inode, break; } - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); - + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE; fmt2->fmt.vbi.samples_per_line = fmt->samples_per_line; fmt2->fmt.vbi.sampling_rate = fmt->sampling_rate; -- cgit v1.2.3