On Sun, Apr 23, 2017 at 11:32:57PM +0200, Christophe JAILLET wrote:
> We should ensure that 'plane_no' is '< vb->num_planes' as done in
> 'vb2_plane_cookie' just a few lines below.
>
> Signed-off-by: Christophe JAILLET <christophe.jail...@wanadoo.fr>
> ---
> drivers/media/v4l2-core/videobuf2-core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/v4l2-core/videobuf2-core.c
> b/drivers/media/v4l2-core/videobuf2-core.c
> index 94afbbf92807..c0175ea7e7ad 100644
> --- a/drivers/media/v4l2-core/videobuf2-core.c
> +++ b/drivers/media/v4l2-core/videobuf2-core.c
> @@ -868,7 +868,7 @@ EXPORT_SYMBOL_GPL(vb2_core_create_bufs);
>
> void *vb2_plane_vaddr(struct vb2_buffer *vb, unsigned int plane_no)
> {
> - if (plane_no > vb->num_planes || !vb->planes[plane_no].mem_priv)
> + if (plane_no >= vb->num_planes || !vb->planes[plane_no].mem_priv)
> return NULL;
>
> return call_ptr_memop(vb, vaddr, vb->planes[plane_no].mem_priv);
Oh my. How could this happen?
This should go to stable as well.
Reviewed-by: Sakari Ailus <sakari.ai...@linux.intel.com>
--
Sakari Ailus
e-mail: sakari.ai...@iki.fi XMPP: sai...@retiisi.org.uk
