From patchwork Sun Aug 30 08:56:16 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?TsODwqltZXRoIE3Dg8KhcnRvbg==?= X-Patchwork-Id: 44742 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n7U8uMGV020873 for ; Sun, 30 Aug 2009 08:56:22 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752690AbZH3I4S (ORCPT ); Sun, 30 Aug 2009 04:56:18 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752548AbZH3I4S (ORCPT ); Sun, 30 Aug 2009 04:56:18 -0400 Received: from mail01a.mail.t-online.hu ([84.2.40.6]:50694 "EHLO mail01a.mail.t-online.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752444AbZH3I4R (ORCPT ); Sun, 30 Aug 2009 04:56:17 -0400 Received: from [192.168.1.69] (dsl51B68D03.pool.t-online.hu [81.182.141.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail01a.mail.t-online.hu (Postfix) with ESMTPSA id 734877982AE; Sun, 30 Aug 2009 10:52:37 +0200 (CEST) Message-ID: <4A9A3EB0.8060304@freemail.hu> Date: Sun, 30 Aug 2009 10:56:16 +0200 From: =?ISO-8859-2?Q?N=E9meth_M=E1rton?= User-Agent: Mozilla/5.0 (X11; U; Linux i686; hu-HU; rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16 MIME-Version: 1.0 To: V4L Mailing List CC: =?ISO-8859-2?Q?N=E9meth_M=E1rton?= Subject: [PATCH] libv4l: add NULL pointer check X-DCC-mail.t-online.hu-Metrics: mail01a.mail.t-online.hu 32720; Body=2 Fuz1=2 Fuz2=2 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org From: Márton Németh Add NULL pointer check before the pointers are dereferenced. The patch was tested with v4l-test 0.19 [1] together with "Trust 610 LCD Powerc@m Zoom" in webcam mode. Reference: [1] v4l-test: Test environment for Video For Linux Two API http://v4l-test.sourceforge.net/ Priority: normal Signed-off-by: Márton Németh --- -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff -upr libv4l-0.6.1-test.orig/libv4l2/libv4l2.c libv4l-0.6.1-test/libv4l2/libv4l2.c --- libv4l-0.6.1-test.orig/libv4l2/libv4l2.c 2009-08-20 11:41:15.000000000 +0200 +++ libv4l-0.6.1-test/libv4l2/libv4l2.c 2009-08-30 10:40:12.000000000 +0200 @@ -772,7 +772,8 @@ int v4l2_ioctl (int fd, unsigned long in is_capture_request = 1; break; case VIDIOC_ENUM_FMT: - if (((struct v4l2_fmtdesc *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE && + if (arg && + ((struct v4l2_fmtdesc *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE && !(devices[index].flags & V4L2_DISABLE_CONVERSION)) is_capture_request = 1; break; @@ -782,19 +783,22 @@ int v4l2_ioctl (int fd, unsigned long in is_capture_request = 1; break; case VIDIOC_TRY_FMT: - if (((struct v4l2_format *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE && + if (arg && + ((struct v4l2_format *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE && !(devices[index].flags & V4L2_DISABLE_CONVERSION)) is_capture_request = 1; break; case VIDIOC_S_FMT: case VIDIOC_G_FMT: - if (((struct v4l2_format *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { + if (arg && + ((struct v4l2_format *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { is_capture_request = 1; stream_needs_locking = 1; } break; case VIDIOC_REQBUFS: - if (((struct v4l2_requestbuffers *)arg)->type == + if (arg && + ((struct v4l2_requestbuffers *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { is_capture_request = 1; stream_needs_locking = 1; @@ -803,14 +807,16 @@ int v4l2_ioctl (int fd, unsigned long in case VIDIOC_QUERYBUF: case VIDIOC_QBUF: case VIDIOC_DQBUF: - if (((struct v4l2_buffer *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { + if (arg && + ((struct v4l2_buffer *)arg)->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { is_capture_request = 1; stream_needs_locking = 1; } break; case VIDIOC_STREAMON: case VIDIOC_STREAMOFF: - if (*((enum v4l2_buf_type *)arg) == V4L2_BUF_TYPE_VIDEO_CAPTURE) { + if (arg && + *((enum v4l2_buf_type *)arg) == V4L2_BUF_TYPE_VIDEO_CAPTURE) { is_capture_request = 1; stream_needs_locking = 1; } diff -upr libv4l-0.6.1-test.orig/libv4lconvert/control/libv4lcontrol.c libv4l-0.6.1-test/libv4lconvert/control/libv4lcontrol.c --- libv4l-0.6.1-test.orig/libv4lconvert/control/libv4lcontrol.c 2009-08-20 11:29:51.000000000 +0200 +++ libv4l-0.6.1-test/libv4lconvert/control/libv4lcontrol.c 2009-08-30 10:37:53.000000000 +0200 @@ -543,7 +543,7 @@ int v4lcontrol_vidioc_queryctrl(struct v int i; struct v4l2_queryctrl *ctrl = arg; int retval; - __u32 orig_id=ctrl->id; + __u32 orig_id; /* if we have an exact match return it */ for (i = 0; i < V4LCONTROL_COUNT; i++) @@ -556,24 +556,27 @@ int v4lcontrol_vidioc_queryctrl(struct v /* find out what the kernel driver would respond. */ retval = SYS_IOCTL(data->fd, VIDIOC_QUERYCTRL, arg); - if ((data->priv_flags & V4LCONTROL_SUPPORTS_NEXT_CTRL) && - (orig_id & V4L2_CTRL_FLAG_NEXT_CTRL)) { - /* If the hardware has no more controls check if we still have any - fake controls with a higher id then the hardware's highest */ - if (retval) - ctrl->id = V4L2_CTRL_FLAG_NEXT_CTRL; - - /* If any of our controls have an id > orig_id but less than - ctrl->id then return that control instead. Note we do not - break when we have a match, but keep iterating, so that - we end up with the fake ctrl with the lowest CID > orig_id. */ - for (i = 0; i < V4LCONTROL_COUNT; i++) - if ((data->controls & (1 << i)) && - (fake_controls[i].id > (orig_id & ~V4L2_CTRL_FLAG_NEXT_CTRL)) && - (fake_controls[i].id <= ctrl->id)) { - v4lcontrol_copy_queryctrl(data, ctrl, i); - retval = 0; - } + if (ctrl) { + orig_id = ctrl->id; + if ((data->priv_flags & V4LCONTROL_SUPPORTS_NEXT_CTRL) && + (orig_id & V4L2_CTRL_FLAG_NEXT_CTRL)) { + /* If the hardware has no more controls check if we still have any + fake controls with a higher id then the hardware's highest */ + if (retval) + ctrl->id = V4L2_CTRL_FLAG_NEXT_CTRL; + + /* If any of our controls have an id > orig_id but less than + ctrl->id then return that control instead. Note we do not + break when we have a match, but keep iterating, so that + we end up with the fake ctrl with the lowest CID > orig_id. */ + for (i = 0; i < V4LCONTROL_COUNT; i++) + if ((data->controls & (1 << i)) && + (fake_controls[i].id > (orig_id & ~V4L2_CTRL_FLAG_NEXT_CTRL)) && + (fake_controls[i].id <= ctrl->id)) { + v4lcontrol_copy_queryctrl(data, ctrl, i); + retval = 0; + } + } } return retval; diff -upr libv4l-0.6.1-test.orig/libv4lconvert/libv4lconvert.c libv4l-0.6.1-test/libv4lconvert/libv4lconvert.c --- libv4l-0.6.1-test.orig/libv4lconvert/libv4lconvert.c 2009-08-19 15:56:14.000000000 +0200 +++ libv4l-0.6.1-test/libv4lconvert/libv4lconvert.c 2009-08-30 10:45:16.000000000 +0200 @@ -1170,6 +1170,10 @@ static void v4lconvert_get_framesizes(st int v4lconvert_enum_framesizes(struct v4lconvert_data *data, struct v4l2_frmsizeenum *frmsize) { + if (!frmsize) { + errno = EACCES; + return -1; + } if (!v4lconvert_supported_dst_format(frmsize->pixel_format)) { if (v4lconvert_supported_dst_fmt_only(data)) { errno = EINVAL;