[media] omap_vout: Added check in reqbuf & mmap for buf_size allocation

The usecase where, user allocates small size of buffer through bootargs (video1_bufsize/video2_bufsize) and later from application tries to set the format which requires larger buffer size, driver doesn't check for insufficient buffer size and allows application to map extra buffer. This leads to kernel crash, when user application tries to access memory beyond the allocation size. Added check in both mmap and reqbuf call back function, and return error if the size of the buffer allocated by user through bootargs is less than the S_FMT size. Signed-off-by: Vaibhav Hiremath <hvaibhav@ti.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
git-mirror · Jul 1, 2011 · 383e4f6 · 383e4f6
1 parent 8f3a307
commit 383e4f6
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/drivers/media/video/omap/omap_vout.c b/drivers/media/video/omap/omap_vout.c
@@ -982,6 +982,14 @@ static int omap_vout_buffer_setup(struct videobuf_queue *q, unsigned int *count,
 	startindex = (vout->vid == OMAP_VIDEO1) ?
 		video1_numbuffers : video2_numbuffers;
 
+	/* Check the size of the buffer */
+	if (*size > vout->buffer_size) {
+		v4l2_err(&vout->vid_dev->v4l2_dev,
+				"buffer allocation mismatch [%u] [%u]\n",
+				*size, vout->buffer_size);
+		return -ENOMEM;
+	}
+
 	for (i = startindex; i < *count; i++) {
 		vout->buffer_size = *size;
 
@@ -1228,6 +1236,14 @@ static int omap_vout_mmap(struct file *file, struct vm_area_struct *vma)
 				(vma->vm_pgoff << PAGE_SHIFT));
 		return -EINVAL;
 	}
+	/* Check the size of the buffer */
+	if (size > vout->buffer_size) {
+		v4l2_err(&vout->vid_dev->v4l2_dev,
+				"insufficient memory [%lu] [%u]\n",
+				size, vout->buffer_size);
+		return -ENOMEM;
+	}
+
 	q->bufs[i]->baddr = vma->vm_start;
 
 	vma->vm_flags |= VM_RESERVED;