Commit 3e09d417 authored by Tiffany Lin's avatar Tiffany Lin Committed by Sasha Levin

[media] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32

[ Upstream commit 7df5ab87 ]

In v4l2-compliance utility, test QUERYBUF required correct length
value to go through each planar to check planar's length in
multi-planar buffer type
Signed-off-by: default avatarTiffany Lin <tiffany.lin@mediatek.com>
Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
Cc: <stable@vger.kernel.org>      # for v3.7 and up
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
parent f2f1ca55
...@@ -392,7 +392,8 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user ...@@ -392,7 +392,8 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
get_user(kp->index, &up->index) || get_user(kp->index, &up->index) ||
get_user(kp->type, &up->type) || get_user(kp->type, &up->type) ||
get_user(kp->flags, &up->flags) || get_user(kp->flags, &up->flags) ||
get_user(kp->memory, &up->memory)) get_user(kp->memory, &up->memory) ||
get_user(kp->length, &up->length))
return -EFAULT; return -EFAULT;
if (V4L2_TYPE_IS_OUTPUT(kp->type)) if (V4L2_TYPE_IS_OUTPUT(kp->type))
...@@ -404,9 +405,6 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user ...@@ -404,9 +405,6 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
return -EFAULT; return -EFAULT;
if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
if (get_user(kp->length, &up->length))
return -EFAULT;
num_planes = kp->length; num_planes = kp->length;
if (num_planes == 0) { if (num_planes == 0) {
kp->m.planes = NULL; kp->m.planes = NULL;
...@@ -439,16 +437,14 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user ...@@ -439,16 +437,14 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
} else { } else {
switch (kp->memory) { switch (kp->memory) {
case V4L2_MEMORY_MMAP: case V4L2_MEMORY_MMAP:
if (get_user(kp->length, &up->length) || if (get_user(kp->m.offset, &up->m.offset))
get_user(kp->m.offset, &up->m.offset))
return -EFAULT; return -EFAULT;
break; break;
case V4L2_MEMORY_USERPTR: case V4L2_MEMORY_USERPTR:
{ {
compat_long_t tmp; compat_long_t tmp;
if (get_user(kp->length, &up->length) || if (get_user(tmp, &up->m.userptr))
get_user(tmp, &up->m.userptr))
return -EFAULT; return -EFAULT;
kp->m.userptr = (unsigned long)compat_ptr(tmp); kp->m.userptr = (unsigned long)compat_ptr(tmp);
...@@ -490,7 +486,8 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user ...@@ -490,7 +486,8 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) || copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) ||
put_user(kp->sequence, &up->sequence) || put_user(kp->sequence, &up->sequence) ||
put_user(kp->reserved2, &up->reserved2) || put_user(kp->reserved2, &up->reserved2) ||
put_user(kp->reserved, &up->reserved)) put_user(kp->reserved, &up->reserved) ||
put_user(kp->length, &up->length))
return -EFAULT; return -EFAULT;
if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
...@@ -513,13 +510,11 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user ...@@ -513,13 +510,11 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
} else { } else {
switch (kp->memory) { switch (kp->memory) {
case V4L2_MEMORY_MMAP: case V4L2_MEMORY_MMAP:
if (put_user(kp->length, &up->length) || if (put_user(kp->m.offset, &up->m.offset))
put_user(kp->m.offset, &up->m.offset))
return -EFAULT; return -EFAULT;
break; break;
case V4L2_MEMORY_USERPTR: case V4L2_MEMORY_USERPTR:
if (put_user(kp->length, &up->length) || if (put_user(kp->m.userptr, &up->m.userptr))
put_user(kp->m.userptr, &up->m.userptr))
return -EFAULT; return -EFAULT;
break; break;
case V4L2_MEMORY_OVERLAY: case V4L2_MEMORY_OVERLAY:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment