Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c77990e7 authored by Cyrill Gorcunov's avatar Cyrill Gorcunov Committed by Mauro Carvalho Chehab
Browse files

V4L/DVB (7330): V4L1 - fix v4l_compat_translate_ioctl possible NULL deref 



There are possible NULL pointer derefs in case of kzalloc fails so fix them.

Signed-off-by: default avatarCyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@infradead.org>
parent 77596058

drivers/media/video/v4l1-compat.c

+41 −9
Original line number Diff line number Diff line
@@ -304,6 +304,10 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		struct video_capability *cap = arg;



		cap2 = kzalloc(sizeof(*cap2), GFP_KERNEL);

		if (!cap2) {

			err = -ENOMEM;

			break;

		}

		memset(cap, 0, sizeof(*cap));

		memset(&fbuf2, 0, sizeof(fbuf2));
@@ -427,6 +431,10 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		struct video_window	*win = arg;



		fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL);

		if (!fmt2) {

			err = -ENOMEM;

			break;

		}

		memset(win,0,sizeof(*win));



		fmt2->type = V4L2_BUF_TYPE_VIDEO_OVERLAY;
@@ -465,6 +473,10 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		int err1,err2;



		fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL);

		if (!fmt2) {

			err = -ENOMEM;

			break;

		}

		fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE;

		drv(inode, file, VIDIOC_STREAMOFF, &fmt2->type);

		err1 = drv(inode, file, VIDIOC_G_FMT, fmt2);
@@ -586,6 +598,12 @@ v4l_compat_translate_ioctl(struct inode *inode, 
	{

		struct video_picture	*pict = arg;



		fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL);

		if (!fmt2) {

			err = -ENOMEM;

			break;

		}



		pict->brightness = get_v4l_control(inode, file,

						   V4L2_CID_BRIGHTNESS,drv);

		pict->hue = get_v4l_control(inode, file,
@@ -597,7 +615,6 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		pict->whiteness = get_v4l_control(inode, file,

						  V4L2_CID_WHITENESS, drv);



		fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL);

		fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE;

		err = drv(inode, file, VIDIOC_G_FMT, fmt2);

		if (err < 0) {
@@ -617,6 +634,11 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		struct video_picture	*pict = arg;

		int mem_err = 0, ovl_err = 0;



		fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL);

		if (!fmt2) {

			err = -ENOMEM;

			break;

		}

		memset(&fbuf2, 0, sizeof(fbuf2));



		set_v4l_control(inode, file,
@@ -636,7 +658,6 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		 * different pixel formats for memory vs overlay.

		 */



		fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL);

		fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE;

		err = drv(inode, file, VIDIOC_G_FMT, fmt2);

		/* If VIDIOC_G_FMT failed, then the driver likely doesn't
@@ -891,6 +912,10 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		struct video_mmap	*mm = arg;



		fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL);

		if (!fmt2) {

			err = -ENOMEM;

			break;

		}

		memset(&buf2,0,sizeof(buf2));



		fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
@@ -987,6 +1012,10 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		struct vbi_format      *fmt = arg;



		fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL);

		if (!fmt2) {

			err = -ENOMEM;

			break;

		}

		fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE;



		err = drv(inode, file, VIDIOC_G_FMT, fmt2);
@@ -1019,7 +1048,10 @@ v4l_compat_translate_ioctl(struct inode *inode, 
		}



		fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL);



		if (!fmt2) {

			err = -ENOMEM;

			break;

		}

		fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE;

		fmt2->fmt.vbi.samples_per_line = fmt->samples_per_line;

		fmt2->fmt.vbi.sampling_rate    = fmt->sampling_rate;