diff options
author | Marcus Glocker <mglocker@cvs.openbsd.org> | 2008-11-24 23:25:34 +0000 |
---|---|---|
committer | Marcus Glocker <mglocker@cvs.openbsd.org> | 2008-11-24 23:25:34 +0000 |
commit | b6679679f13b731ba42b47d62e0c1c9c441021fe (patch) | |
tree | 913d79e7b5b5d2368a4dafbe0dfa2cde64abb548 | |
parent | aade60ef2e3968fe35a47715edd19fa075d32816 (diff) |
More sanitizing for wrong bDefaultFrameIndex values. Fixes a panic
at attach time for devices which set bDefaultFrameIndex larger than
the existing frame descriptors.
Spotted, tested, and OK yuo@
-rw-r--r-- | sys/dev/usb/uvideo.c | 44 |
1 files changed, 19 insertions, 25 deletions
diff --git a/sys/dev/usb/uvideo.c b/sys/dev/usb/uvideo.c index 9fca9cd6c81..e03d7d739e9 100644 --- a/sys/dev/usb/uvideo.c +++ b/sys/dev/usb/uvideo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uvideo.c,v 1.91 2008/11/10 11:54:39 mglocker Exp $ */ +/* $OpenBSD: uvideo.c,v 1.92 2008/11/24 23:25:33 mglocker Exp $ */ /* * Copyright (c) 2008 Robert Nagy <robert@openbsd.org> @@ -780,8 +780,14 @@ uvideo_vs_parse_desc_format_mjpeg(struct uvideo_softc *sc, sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format = (struct uvideo_format_desc *)d; - sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format_dfidx = - sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format->u.mjpeg.bDefaultFrameIndex; + if (d->bDefaultFrameIndex > d->bNumFrameDescriptors || + d->bDefaultFrameIndex < 1) { + /* sanitize wrong bDefaultFrameIndex value */ + sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format_dfidx = 1; + } else { + sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format_dfidx = + d->bDefaultFrameIndex; + } sc->sc_fmtgrp[sc->sc_fmtgrp_idx].pixelformat = V4L2_PIX_FMT_MJPEG; if (sc->sc_fmtgrp_cur == NULL) @@ -816,8 +822,14 @@ uvideo_vs_parse_desc_format_uncompressed(struct uvideo_softc *sc, sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format = (struct uvideo_format_desc *)d; - sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format_dfidx = - sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format->u.uc.bDefaultFrameIndex; + if (d->bDefaultFrameIndex > d->bNumFrameDescriptors || + d->bDefaultFrameIndex < 1) { + /* sanitize wrong bDefaultFrameIndex value */ + sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format_dfidx = 1; + } else { + sc->sc_fmtgrp[sc->sc_fmtgrp_idx].format_dfidx = + d->bDefaultFrameIndex; + } i = sc->sc_fmtgrp_idx; if (!strcmp(sc->sc_fmtgrp[i].format->u.uc.guidFormat, "YUY2")) { sc->sc_fmtgrp[i].pixelformat = V4L2_PIX_FMT_YUYV; @@ -894,16 +906,7 @@ uvideo_vs_parse_desc_frame_mjpeg(struct uvideo_softc *sc, fmtidx = sc->sc_fmtgrp_idx; sc->sc_fmtgrp[fmtidx].frame[d->bFrameIndex] = d; - /* - * If bDefaultFrameIndex is not set by the device - * use the first bFrameIndex available, otherwise - * set it to the default one. - */ - if (sc->sc_fmtgrp[fmtidx].format->u.mjpeg.bDefaultFrameIndex == 0) { - sc->sc_fmtgrp[fmtidx].frame_cur = - sc->sc_fmtgrp[fmtidx].frame[1]; - } else if (sc->sc_fmtgrp[fmtidx].format->u.mjpeg.bDefaultFrameIndex == - d->bFrameIndex) { + if (sc->sc_fmtgrp[fmtidx].format_dfidx == d->bFrameIndex) { sc->sc_fmtgrp[fmtidx].frame_cur = sc->sc_fmtgrp[fmtidx].frame[d->bFrameIndex]; } @@ -936,16 +939,7 @@ uvideo_vs_parse_desc_frame_uncompressed(struct uvideo_softc *sc, sc->sc_fmtgrp[fmtidx].frame[d->bFrameIndex] = (struct usb_video_frame_mjpeg_desc *)d; - /* - * If bDefaultFrameIndex is not set by the device - * use the first bFrameIndex available, otherwise - * set it to the default one. - */ - if (sc->sc_fmtgrp[fmtidx].format->u.uc.bDefaultFrameIndex == 0) { - sc->sc_fmtgrp[fmtidx].frame_cur = - sc->sc_fmtgrp[fmtidx].frame[1]; - } else if (sc->sc_fmtgrp[fmtidx].format->u.uc.bDefaultFrameIndex == - d->bFrameIndex) { + if (sc->sc_fmtgrp[fmtidx].format_dfidx == d->bFrameIndex) { sc->sc_fmtgrp[fmtidx].frame_cur = sc->sc_fmtgrp[fmtidx].frame[d->bFrameIndex]; } |