From 1029e7a71e51ebd6bd01f973b427c95634401f15 Mon Sep 17 00:00:00 2001 From: Dave Stevenson Date: Sat, 29 Jun 2019 21:31:41 +0200 Subject: staging: bcm2835-camera: Add sanity checks for queue_setup/CREATE_BUFS Fixes a v4l2-compliance failure when passed a buffer that is too small. queue_setup wasn't handling the case where *nplanes != 0, as used from CREATE_BUFS and requiring the driver to sanity check the provided buffer parameters. It was assuming that it was always being used in the REQBUFS case where it provides the buffer properties. Signed-off-by: Dave Stevenson Signed-off-by: Stefan Wahren Acked-by: Hans Verkuil Acked-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- .../vc04_services/bcm2835-camera/bcm2835-camera.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'drivers/staging/vc04_services') diff --git a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c index 8fd38728ec02..80988ac43a06 100644 --- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c +++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c @@ -236,6 +236,22 @@ static int queue_setup(struct vb2_queue *vq, return -EINVAL; } + /* Handle CREATE_BUFS situation - *nplanes != 0 */ + if (*nplanes) { + if (*nplanes != 1 || + sizes[0] < dev->capture.port->current_buffer.size) { + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, + "%s: dev:%p Invalid buffer request from CREATE_BUFS, size %u < %u, nplanes %u != 1\n", + __func__, dev, sizes[0], + dev->capture.port->current_buffer.size, + *nplanes); + return -EINVAL; + } else { + return 0; + } + } + + /* Handle REQBUFS situation */ size = dev->capture.port->current_buffer.size; if (size == 0) { v4l2_err(&dev->v4l2_dev, -- cgit