static int uvc_parse_format:
switch (buffer[2]) {
case VS_FORMAT_UNCOMPRESSED:
case VS_FORMAT_FRAME_BASED:
if (buflen < 27) {
uvc_trace(UVC_TRACE_DESCR, "device %d videostreaming"
"interface %d FORMAT error\n",
dev->udev->devnum,
alts->desc.bInterfaceNumber);
return -EINVAL;
}
[..]
format->bpp = buffer[21];
if (buffer[2] == VS_FORMAT_UNCOMPRESSED) {
ftype = VS_FRAME_UNCOMPRESSED;
} else {
ftype = VS_FRAME_FRAME_BASED;
if (buffer[27])
format->flags = UVC_FMT_FLAG_COMPRESSED;
}
break;
Hi,
you are checking for a length of at least 27 but access the 28th element
unconditionally. Looks like a check is missing.
Regards
Oliver
_______________________________________________
Linux-uvc-devel mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/linux-uvc-devel
