media: dvb_vb2: fix possible out of bound access

author Hangyu Hua <hbh25y@gmail.com>

Thu, 19 May 2022 02:17:43 +0000 (03:17 +0100)

committer Stefan Bader <stefan.bader@canonical.com>

Wed, 23 Nov 2022 14:11:58 +0000 (15:11 +0100)
author Hangyu Hua <hbh25y@gmail.com>
Thu, 19 May 2022 02:17:43 +0000 (03:17 +0100)
committer Stefan Bader <stefan.bader@canonical.com>
Wed, 23 Nov 2022 14:11:58 +0000 (15:11 +0100)
diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c

index 6974f1731529437b5ed481f46a38ac237b5926c0..1331f2c2237e6ad72b03441927c9e71530e12496 100644 (file)
--- a/drivers/media/dvb-core/dvb_vb2.c
+++ b/drivers/media/dvb-core/dvb_vb2.c
@@ -358,6 +358,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *ctx, struct dmx_requestbuffers *req)
  
  int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
  {
+       struct vb2_queue *q = &ctx->vb_q;
+
+       if (b->index >= q->num_buffers) {
+               dprintk(1, "[%s] buffer index out of range\n", ctx->name);
+               return -EINVAL;
+       }
         vb2_core_querybuf(&ctx->vb_q, b->index, b);
         dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
         return 0;
@@ -382,8 +388,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
  
  int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
  {
+       struct vb2_queue *q = &ctx->vb_q;
         int ret;
  
+       if (b->index >= q->num_buffers) {
+               dprintk(1, "[%s] buffer index out of range\n", ctx->name);
+               return -EINVAL;
+       }
         ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
         if (ret) {
                 dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
author	Hangyu Hua <hbh25y@gmail.com>
	Thu, 19 May 2022 02:17:43 +0000 (03:17 +0100)
committer	Stefan Bader <stefan.bader@canonical.com>
	Wed, 23 Nov 2022 14:11:58 +0000 (15:11 +0100)