From: Gjorgji Rosikopulos <grosikopu...@mm-sol.com>
Buffer length is needed for single plane as well, otherwise
is uninitialized and behaviour is undetermined.
Signed-off-by: Gjorgji Rosikopulos <grosikopu...@mm-sol.com>
Signed-off-by: Laurent Pinchart <laurent.pinch...@ideasonboard.com>
---
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 8fd84a67478a..b0faa1f7e3a9 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -482,8 +482,10 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp,
struct v4l2_buffer32 __user
return -EFAULT;
break;
case V4L2_MEMORY_DMABUF:
- if (get_user(kp->m.fd, &up->m.fd))
+ if (get_user(kp->m.fd, &up->m.fd) ||
+ get_user(kp->length, &up->length))
return -EFAULT;
+
break;
}
}
@@ -550,7 +552,8 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct
v4l2_buffer32 __user
return -EFAULT;
break;
case V4L2_MEMORY_DMABUF:
- if (put_user(kp->m.fd, &up->m.fd))
+ if (put_user(kp->m.fd, &up->m.fd) ||
+ put_user(kp->length, &up->length))
return -EFAULT;
break;
}
--
2.4.10
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
