diff options
| author | Cyrill Gorcunov <gorcunov@gmail.com> | 2008-03-05 18:24:43 -0500 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@infradead.org> | 2008-03-20 11:39:01 -0400 |
| commit | c77990e754af7443246f24ccb2336bbd62b01cc0 (patch) | |
| tree | b6bccab9d53fdea4884326f7baf9827eb8537990 /drivers/media | |
| parent | 77596058e1c2ad95b566dfdc926611a8dd820ee0 (diff) | |
V4L/DVB (7330): V4L1 - fix v4l_compat_translate_ioctl possible NULL deref
There are possible NULL pointer derefs in case of kzalloc fails so fix them.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Diffstat (limited to 'drivers/media')
| -rw-r--r-- | drivers/media/video/v4l1-compat.c | 50 |
1 files changed, 41 insertions, 9 deletions
diff --git a/drivers/media/video/v4l1-compat.c b/drivers/media/video/v4l1-compat.c index dcf22a3b672a..50e1ff9f2be5 100644 --- a/drivers/media/video/v4l1-compat.c +++ b/drivers/media/video/v4l1-compat.c | |||
| @@ -303,7 +303,11 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 303 | { | 303 | { |
| 304 | struct video_capability *cap = arg; | 304 | struct video_capability *cap = arg; |
| 305 | 305 | ||
| 306 | cap2 = kzalloc(sizeof(*cap2),GFP_KERNEL); | 306 | cap2 = kzalloc(sizeof(*cap2), GFP_KERNEL); |
| 307 | if (!cap2) { | ||
| 308 | err = -ENOMEM; | ||
| 309 | break; | ||
| 310 | } | ||
| 307 | memset(cap, 0, sizeof(*cap)); | 311 | memset(cap, 0, sizeof(*cap)); |
| 308 | memset(&fbuf2, 0, sizeof(fbuf2)); | 312 | memset(&fbuf2, 0, sizeof(fbuf2)); |
| 309 | 313 | ||
| @@ -426,7 +430,11 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 426 | { | 430 | { |
| 427 | struct video_window *win = arg; | 431 | struct video_window *win = arg; |
| 428 | 432 | ||
| 429 | fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); | 433 | fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); |
| 434 | if (!fmt2) { | ||
| 435 | err = -ENOMEM; | ||
| 436 | break; | ||
| 437 | } | ||
| 430 | memset(win,0,sizeof(*win)); | 438 | memset(win,0,sizeof(*win)); |
| 431 | 439 | ||
| 432 | fmt2->type = V4L2_BUF_TYPE_VIDEO_OVERLAY; | 440 | fmt2->type = V4L2_BUF_TYPE_VIDEO_OVERLAY; |
| @@ -464,7 +472,11 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 464 | struct video_window *win = arg; | 472 | struct video_window *win = arg; |
| 465 | int err1,err2; | 473 | int err1,err2; |
| 466 | 474 | ||
| 467 | fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); | 475 | fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); |
| 476 | if (!fmt2) { | ||
| 477 | err = -ENOMEM; | ||
| 478 | break; | ||
| 479 | } | ||
| 468 | fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; | 480 | fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; |
| 469 | drv(inode, file, VIDIOC_STREAMOFF, &fmt2->type); | 481 | drv(inode, file, VIDIOC_STREAMOFF, &fmt2->type); |
| 470 | err1 = drv(inode, file, VIDIOC_G_FMT, fmt2); | 482 | err1 = drv(inode, file, VIDIOC_G_FMT, fmt2); |
| @@ -586,6 +598,12 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 586 | { | 598 | { |
| 587 | struct video_picture *pict = arg; | 599 | struct video_picture *pict = arg; |
| 588 | 600 | ||
| 601 | fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); | ||
| 602 | if (!fmt2) { | ||
| 603 | err = -ENOMEM; | ||
| 604 | break; | ||
| 605 | } | ||
| 606 | |||
| 589 | pict->brightness = get_v4l_control(inode, file, | 607 | pict->brightness = get_v4l_control(inode, file, |
| 590 | V4L2_CID_BRIGHTNESS,drv); | 608 | V4L2_CID_BRIGHTNESS,drv); |
| 591 | pict->hue = get_v4l_control(inode, file, | 609 | pict->hue = get_v4l_control(inode, file, |
| @@ -597,7 +615,6 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 597 | pict->whiteness = get_v4l_control(inode, file, | 615 | pict->whiteness = get_v4l_control(inode, file, |
| 598 | V4L2_CID_WHITENESS, drv); | 616 | V4L2_CID_WHITENESS, drv); |
| 599 | 617 | ||
| 600 | fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); | ||
| 601 | fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; | 618 | fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; |
| 602 | err = drv(inode, file, VIDIOC_G_FMT, fmt2); | 619 | err = drv(inode, file, VIDIOC_G_FMT, fmt2); |
| 603 | if (err < 0) { | 620 | if (err < 0) { |
| @@ -617,6 +634,11 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 617 | struct video_picture *pict = arg; | 634 | struct video_picture *pict = arg; |
| 618 | int mem_err = 0, ovl_err = 0; | 635 | int mem_err = 0, ovl_err = 0; |
| 619 | 636 | ||
| 637 | fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); | ||
| 638 | if (!fmt2) { | ||
| 639 | err = -ENOMEM; | ||
| 640 | break; | ||
| 641 | } | ||
| 620 | memset(&fbuf2, 0, sizeof(fbuf2)); | 642 | memset(&fbuf2, 0, sizeof(fbuf2)); |
| 621 | 643 | ||
| 622 | set_v4l_control(inode, file, | 644 | set_v4l_control(inode, file, |
| @@ -636,7 +658,6 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 636 | * different pixel formats for memory vs overlay. | 658 | * different pixel formats for memory vs overlay. |
| 637 | */ | 659 | */ |
| 638 | 660 | ||
| 639 | fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); | ||
| 640 | fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; | 661 | fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; |
| 641 | err = drv(inode, file, VIDIOC_G_FMT, fmt2); | 662 | err = drv(inode, file, VIDIOC_G_FMT, fmt2); |
| 642 | /* If VIDIOC_G_FMT failed, then the driver likely doesn't | 663 | /* If VIDIOC_G_FMT failed, then the driver likely doesn't |
| @@ -890,7 +911,11 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 890 | { | 911 | { |
| 891 | struct video_mmap *mm = arg; | 912 | struct video_mmap *mm = arg; |
| 892 | 913 | ||
| 893 | fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); | 914 | fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); |
| 915 | if (!fmt2) { | ||
| 916 | err = -ENOMEM; | ||
| 917 | break; | ||
| 918 | } | ||
| 894 | memset(&buf2,0,sizeof(buf2)); | 919 | memset(&buf2,0,sizeof(buf2)); |
| 895 | 920 | ||
| 896 | fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; | 921 | fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; |
| @@ -986,7 +1011,11 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 986 | { | 1011 | { |
| 987 | struct vbi_format *fmt = arg; | 1012 | struct vbi_format *fmt = arg; |
| 988 | 1013 | ||
| 989 | fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); | 1014 | fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); |
| 1015 | if (!fmt2) { | ||
| 1016 | err = -ENOMEM; | ||
| 1017 | break; | ||
| 1018 | } | ||
| 990 | fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE; | 1019 | fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE; |
| 991 | 1020 | ||
| 992 | err = drv(inode, file, VIDIOC_G_FMT, fmt2); | 1021 | err = drv(inode, file, VIDIOC_G_FMT, fmt2); |
| @@ -1018,8 +1047,11 @@ v4l_compat_translate_ioctl(struct inode *inode, | |||
| 1018 | break; | 1047 | break; |
| 1019 | } | 1048 | } |
| 1020 | 1049 | ||
| 1021 | fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); | 1050 | fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); |
| 1022 | 1051 | if (!fmt2) { | |
| 1052 | err = -ENOMEM; | ||
| 1053 | break; | ||
| 1054 | } | ||
| 1023 | fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE; | 1055 | fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE; |
| 1024 | fmt2->fmt.vbi.samples_per_line = fmt->samples_per_line; | 1056 | fmt2->fmt.vbi.samples_per_line = fmt->samples_per_line; |
| 1025 | fmt2->fmt.vbi.sampling_rate = fmt->sampling_rate; | 1057 | fmt2->fmt.vbi.sampling_rate = fmt->sampling_rate; |