From 73ee9ac76651e7e52f23e0f69c2944918e659fe7 Mon Sep 17 00:00:00 2001 From: Dave Stevenson Date: Tue, 15 Jan 2019 15:35:24 +0000 Subject: [PATCH 315/773] staging: bcm2835-camera: Add sanity checks for queue_setup/CREATE_BUFS Fixes a v4l2-compliance failure when passed a buffer that is too small. queue_setup wasn't handling the case where !(*nplanes), as used from CREATE_BUFS and requiring the driver to sanity check the provided buffer parameters. It was assuming that it was always being used in the REQBUFS case where it provides the buffer properties. Signed-off-by: Dave Stevenson --- .../bcm2835-camera/bcm2835-camera.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) --- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c +++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c @@ -242,6 +242,22 @@ static int queue_setup(struct vb2_queue return -EINVAL; } + /* Handle CREATE_BUFS situation - *nplanes != 0 */ + if (*nplanes) { + if (*nplanes != 1 || + sizes[0] < dev->capture.port->current_buffer.size) { + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, + "%s: dev:%p Invalid buffer request from CREATE_BUFS, size %u < %u, nplanes %u != 1\n", + __func__, dev, sizes[0], + dev->capture.port->current_buffer.size, + *nplanes); + return -EINVAL; + } else { + return 0; + } + } + + /* Handle REQBUFS situation */ size = dev->capture.port->current_buffer.size; if (size == 0) { v4l2_err(&dev->v4l2_dev,