I think you might have the wrong Amber copied on this email. Amber
-----Original Message----- From: Dan Carpenter [mailto:dan.carpen...@oracle.com] Sent: Wednesday, April 10, 2019 6:14 AM To: Hans Verkuil Cc: Mauro Carvalho Chehab; Scheurer, Amber; Niklas Söderlund; Philipp Zabel; Parrot, Benoit; linux-media@vger.kernel.org; kernel-janit...@vger.kernel.org; Andrzej Hajda Subject: [EXTERNAL] Re: [PATCH] media: omap_vout: potential buffer overflow in vidioc_dqbuf() On Wed, Apr 10, 2019 at 12:50:31PM +0200, Hans Verkuil wrote: > On 4/9/19 1:29 PM, Dan Carpenter wrote: > > diff --git a/drivers/media/platform/omap/omap_vout.c > > b/drivers/media/platform/omap/omap_vout.c > > index 37f0d7146dfa..15e38990e85a 100644 > > --- a/drivers/media/platform/omap/omap_vout.c > > +++ b/drivers/media/platform/omap/omap_vout.c > > @@ -1527,8 +1527,6 @@ static int vidioc_dqbuf(struct file *file, void *fh, > > struct v4l2_buffer *b) > > unsigned long size; > > struct videobuf_buffer *vb; > > > > - vb = q->bufs[b->index]; > > - > > if (!vout->streaming) > > return -EINVAL; > > > > @@ -1539,6 +1537,8 @@ static int vidioc_dqbuf(struct file *file, void *fh, > > struct v4l2_buffer *b) > > /* Call videobuf_dqbuf for blocking mode */ > > ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 0); > > We need a: > > if (ret) > return ret; > > here. Or alternatively, add 'if (!ret)' around the next five lines. > > b->index is only valid if the videobuf_dqbuf call returned 0. > Doh. Thanks. regards, dan carpenter
