projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5fd8f73)
V4L/DVB: gspca - main: Fix a crash in gspca_frame_add()
authorJean-François Moine <moinejf@free.fr>
Thu, 29 Jul 2010 05:46:02 +0000 (02:46 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Mon, 9 Aug 2010 02:43:01 +0000 (23:43 -0300)
Some webcams as ov511 may find many times an end of image.
In this case, with the last patch in image concatenation
(commit 799b1bd41f398054d46fd35f73abd01c4009f6ca),
the image pointer was NULL and the system crashed in memcpy().

Signed-off-by: Jean-François Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/media/video/gspca/gspca.c patch | blob | blame | history

diff --git a/drivers/media/video/gspca/gspca.c b/drivers/media/video/gspca/gspca.c
index 0004469691cc56081cc4f4cd60d925fbe35ba455..b9846106913eb4871f429924092dd27563f0f115 100644 (file)
--- a/drivers/media/video/gspca/gspca.c
+++ b/drivers/media/video/gspca/gspca.c
@@ -440,10 +440,15 @@ void gspca_frame_add(struct gspca_dev *gspca_dev,
                frame->v4l2_buf.sequence = ++gspca_dev->sequence;
                gspca_dev->image = frame->data;
                gspca_dev->image_len = 0;
-       } else if (gspca_dev->last_packet_type == DISCARD_PACKET) {
-               if (packet_type == LAST_PACKET)
-                       gspca_dev->last_packet_type = packet_type;
-               return;
+       } else {
+               switch (gspca_dev->last_packet_type) {
+               case DISCARD_PACKET:
+                       if (packet_type == LAST_PACKET)
+                               gspca_dev->last_packet_type = packet_type;
+                       return;
+               case LAST_PACKET:
+                       return;
+               }
        }
 
        /* append the packet to the frame buffer */
@@ -454,6 +459,12 @@ void gspca_frame_add(struct gspca_dev *gspca_dev,
                                gspca_dev->frsz);
                        packet_type = DISCARD_PACKET;
                } else {
+/* !! image is NULL only when last pkt is LAST or DISCARD
+                       if (gspca_dev->image == NULL) {
+                               err("gspca_frame_add() image == NULL");
+                               return;
+                       }
+ */
                        memcpy(gspca_dev->image + gspca_dev->image_len,
                                data, len);
                        gspca_dev->image_len += len;