From patchwork Thu Nov 10 05:24:05 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wu-Cheng Li <wuchengli@chromium.org>
X-Patchwork-Id: 9420647
Return-Path: <linux-media-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B36346048E for <patchwork-linux-media@patchwork.kernel.org>;
	Thu, 10 Nov 2016 05:24:53 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A324428E89
	for <patchwork-linux-media@patchwork.kernel.org>;
	Thu, 10 Nov 2016 05:24:53 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9636128F60; Thu, 10 Nov 2016 05:24:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2D7F728E89
	for <patchwork-linux-media@patchwork.kernel.org>;
	Thu, 10 Nov 2016 05:24:53 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753483AbcKJFYc (ORCPT
	<rfc822;patchwork-linux-media@patchwork.kernel.org>);
	Thu, 10 Nov 2016 00:24:32 -0500
Received: from mail-pf0-f173.google.com ([209.85.192.173]:34860 "EHLO
	mail-pf0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753423AbcKJFYb (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Thu, 10 Nov 2016 00:24:31 -0500
Received: by mail-pf0-f173.google.com with SMTP id i88so139058598pfk.2
	for <linux-media@vger.kernel.org>;
	Wed, 09 Nov 2016 21:24:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=/OeWjoTQ0tO4XCq1vAFV8oJYsqQU4iXms1fnDjTAmWA=;
	b=IfV8ClkLm/4HKHPGj4l0Rm48Sp3hM3OB572sNe/DtLD7bGEhi7q5ihQDrXSSvD0Jlv
	6B/CR3g6/gUWKJJOxWILIrD9cJJ6ipy1iduocpUa3SP+jpgdgC8j+T1QnFrYkK0KWM3J
	bX685R9dpjGbDsgqhcBJ0oY5Nq8tUOqC91AmA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=/OeWjoTQ0tO4XCq1vAFV8oJYsqQU4iXms1fnDjTAmWA=;
	b=kUSEOJufU6V8WpN8jL/B+thXHhBbUj/QYqIuSNZ7ZWGoe/GlM678V7pyiroNkaIiXS
	riu4Kpmqq+gdOkg8Mwlv10CU9zAWG5vka5ZblSZl8V36r/+v2kI6ZATzzOLiWdSbBkGW
	wEfyHjH3pZq6fTfi7MPDHCIz/8JCINm0F5SSvLLkeEJLqrjNAtbZmRBL61Wmnd+zOg1G
	HZeOFRE5BEX96twevvSEZwFsFAyABcf/t2WGNuhz3avPoDMf64WT547I3Ef6cR6WK7KE
	ndd5t7V50yPKLjAE5yvr72gsKGADrXVXfvlXuwuLDe+sb77GydK4z8xWaEtcmkj9qg6g
	ajSQ==
X-Gm-Message-State: 
 ABUngvf/RIREPpbIf8xg0cUTovf+TCoRk2HLRyT1KOUN8y5N6HkoiVz3UspQqILU99NqWOy7
X-Received: by 10.98.208.70 with SMTP id p67mr6505927pfg.15.1478755469875;
	Wed, 09 Nov 2016 21:24:29 -0800 (PST)
Received: from wuchengli-z840.tpe.corp.google.com ([172.30.210.26])
	by smtp.gmail.com with ESMTPSA id
	3sm3216403pam.21.2016.11.09.21.24.27
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 09 Nov 2016 21:24:29 -0800 (PST)
From: Wu-Cheng Li <wuchengli@chromium.org>
To: pawel@osciak.com, tiffany.lin@mediatek.com,
	andrew-ct.chen@mediatek.com, mchehab@kernel.org,
	matthias.bgg@gmail.com, djkurtz@chromium.org, dan.carpenter@oracle.com
Cc: linux-media@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
	linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org,
	Wu-Cheng Li <wuchengli@google.com>, Wu-Cheng Li <wuchengli@chromium.org>
Subject: [PATCH v1] mtk-vcodec: add index check in decoder vidioc_qbuf.
Date: Thu, 10 Nov 2016 13:24:05 +0800
Message-Id: <1478755445-23494-2-git-send-email-wuchengli@chromium.org>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
In-Reply-To: <1478755445-23494-1-git-send-email-wuchengli@chromium.org>
References: <1478755445-23494-1-git-send-email-wuchengli@chromium.org>
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Wu-Cheng Li <wuchengli@google.com>

vb2_qbuf will check the buffer index. If a driver overrides
vidioc_qbuf and use the buffer index, the driver needs to check
the index.

Signed-off-by: Wu-Cheng Li <wuchengli@chromium.org>
---
 drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
index 0520919..0746592 100644
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
@@ -533,6 +533,10 @@ static int vidioc_vdec_qbuf(struct file *file, void *priv,
 	}
 
 	vq = v4l2_m2m_get_vq(ctx->m2m_ctx, buf->type);
+	if (buf->index >= vq->num_buffers) {
+		mtk_v4l2_debug(1, "buffer index %d out of range", buf->index);
+		return -EINVAL;
+	}
 	vb = vq->bufs[buf->index];
 	vb2_v4l2 = container_of(vb, struct vb2_v4l2_buffer, vb2_buf);
 	mtkbuf = container_of(vb2_v4l2, struct mtk_video_dec_buf, vb);