Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=49ee718ef51f4d938f80f67207e1bfa2a38897a4
Commit:     49ee718ef51f4d938f80f67207e1bfa2a38897a4
Parent:     c726b65d079cafabc558616badbeead442e2b114
Author:     Brandon Philips <[EMAIL PROTECTED]>
AuthorDate: Fri Oct 5 16:26:27 2007 -0300
Committer:  Mauro Carvalho Chehab <[EMAIL PROTECTED]>
CommitDate: Wed Oct 10 00:03:20 2007 -0300

    V4L/DVB (6305): V4L: videobuf-core.c avoid NULL dereferences in 
videobuf-core
    
    The return value of videobuf_alloc() is unchecked but this function will
    return NULL on an error.  Check for NULL and make videobuf_reqbufs()
    return the number of successfully allocated buffers.
    
    Also, fix saa7146_video.c and bttv-driver.c to use this returned
    buffer count.
    
    Tested against the vivi driver.  Not tested against saa7146 or bt8xx
    devices.
    
    Signed-off-by: Brandon Philips <[EMAIL PROTECTED]>
    Signed-off-by: Mauro Carvalho Chehab <[EMAIL PROTECTED]>
---
 drivers/media/common/saa7146_video.c    |    2 ++
 drivers/media/video/bt8xx/bttv-driver.c |    2 ++
 drivers/media/video/videobuf-core.c     |   18 +++++++++++++-----
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/drivers/media/common/saa7146_video.c 
b/drivers/media/common/saa7146_video.c
index 29dbc60..f245a3b 100644
--- a/drivers/media/common/saa7146_video.c
+++ b/drivers/media/common/saa7146_video.c
@@ -1212,6 +1212,8 @@ int saa7146_video_do_ioctl(struct inode *inode, struct 
file *file, unsigned int
                        mutex_unlock(&q->lock);
                        return err;
                }
+
+               gbuffers = err;
                memset(mbuf,0,sizeof(*mbuf));
                mbuf->frames = gbuffers;
                mbuf->size   = gbuffers * gbufsize;
diff --git a/drivers/media/video/bt8xx/bttv-driver.c 
b/drivers/media/video/bt8xx/bttv-driver.c
index 4927853..7a332b3 100644
--- a/drivers/media/video/bt8xx/bttv-driver.c
+++ b/drivers/media/video/bt8xx/bttv-driver.c
@@ -3072,6 +3072,8 @@ static int bttv_do_ioctl(struct inode *inode, struct file 
*file,
                                             V4L2_MEMORY_MMAP);
                if (retval < 0)
                        goto fh_unlock_and_return;
+
+               gbuffers = retval;
                memset(mbuf,0,sizeof(*mbuf));
                mbuf->frames = gbuffers;
                mbuf->size   = gbuffers * gbufsize;
diff --git a/drivers/media/video/videobuf-core.c 
b/drivers/media/video/videobuf-core.c
index f5c5ea8..25a9849 100644
--- a/drivers/media/video/videobuf-core.c
+++ b/drivers/media/video/videobuf-core.c
@@ -329,7 +329,7 @@ int videobuf_reqbufs(struct videobuf_queue *q,
                goto done;
        }
 
-       req->count = count;
+       req->count = retval;
 
  done:
        mutex_unlock(&q->lock);
@@ -698,7 +698,7 @@ int videobuf_read_start(struct videobuf_queue *q)
 {
        enum v4l2_field field;
        unsigned long flags=0;
-       int count = 0, size = 0;
+       unsigned int count = 0, size = 0;
        int err, i;
 
        q->ops->buf_setup(q,&count,&size);
@@ -709,9 +709,11 @@ int videobuf_read_start(struct videobuf_queue *q)
        size = PAGE_ALIGN(size);
 
        err = videobuf_mmap_setup(q, count, size, V4L2_MEMORY_USERPTR);
-       if (err)
+       if (err < 0)
                return err;
 
+       count = err;
+
        for (i = 0; i < count; i++) {
                field = videobuf_next_field(q);
                err = q->ops->buf_prepare(q,q->bufs[i],field);
@@ -876,6 +878,9 @@ int videobuf_mmap_setup(struct videobuf_queue *q,
        for (i = 0; i < bcount; i++) {
                q->bufs[i] = videobuf_alloc(q);
 
+               if (q->bufs[i] == NULL)
+                       break;
+
                q->bufs[i]->i      = i;
                q->bufs[i]->input  = UNSET;
                q->bufs[i]->memory = memory;
@@ -891,10 +896,13 @@ int videobuf_mmap_setup(struct videobuf_queue *q,
                }
        }
 
+       if (!i)
+               return -ENOMEM;
+
        dprintk(1,"mmap setup: %d buffers, %d bytes each\n",
-               bcount,bsize);
+               i, bsize);
 
-       return 0;
+       return i;
 }
 
 int videobuf_mmap_free(struct videobuf_queue *q)
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to