diff options
author | Cyrill Gorcunov <gorcunov@gmail.com> | 2008-03-05 20:24:43 -0300 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@infradead.org> | 2008-03-20 12:39:01 -0300 |
commit | c77990e754af7443246f24ccb2336bbd62b01cc0 (patch) | |
tree | b6bccab9d53fdea4884326f7baf9827eb8537990 | |
parent | 77596058e1c2ad95b566dfdc926611a8dd820ee0 (diff) | |
download | lwn-c77990e754af7443246f24ccb2336bbd62b01cc0.tar.gz lwn-c77990e754af7443246f24ccb2336bbd62b01cc0.zip |
V4L/DVB (7330): V4L1 - fix v4l_compat_translate_ioctl possible NULL deref
There are possible NULL pointer derefs in case of kzalloc fails so fix them.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
-rw-r--r-- | drivers/media/video/v4l1-compat.c | 50 |
1 files changed, 41 insertions, 9 deletions
diff --git a/drivers/media/video/v4l1-compat.c b/drivers/media/video/v4l1-compat.c index dcf22a3b672a..50e1ff9f2be5 100644 --- a/drivers/media/video/v4l1-compat.c +++ b/drivers/media/video/v4l1-compat.c @@ -303,7 +303,11 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct video_capability *cap = arg; - cap2 = kzalloc(sizeof(*cap2),GFP_KERNEL); + cap2 = kzalloc(sizeof(*cap2), GFP_KERNEL); + if (!cap2) { + err = -ENOMEM; + break; + } memset(cap, 0, sizeof(*cap)); memset(&fbuf2, 0, sizeof(fbuf2)); @@ -426,7 +430,11 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct video_window *win = arg; - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } memset(win,0,sizeof(*win)); fmt2->type = V4L2_BUF_TYPE_VIDEO_OVERLAY; @@ -464,7 +472,11 @@ v4l_compat_translate_ioctl(struct inode *inode, struct video_window *win = arg; int err1,err2; - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; drv(inode, file, VIDIOC_STREAMOFF, &fmt2->type); err1 = drv(inode, file, VIDIOC_G_FMT, fmt2); @@ -586,6 +598,12 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct video_picture *pict = arg; + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } + pict->brightness = get_v4l_control(inode, file, V4L2_CID_BRIGHTNESS,drv); pict->hue = get_v4l_control(inode, file, @@ -597,7 +615,6 @@ v4l_compat_translate_ioctl(struct inode *inode, pict->whiteness = get_v4l_control(inode, file, V4L2_CID_WHITENESS, drv); - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; err = drv(inode, file, VIDIOC_G_FMT, fmt2); if (err < 0) { @@ -617,6 +634,11 @@ v4l_compat_translate_ioctl(struct inode *inode, struct video_picture *pict = arg; int mem_err = 0, ovl_err = 0; + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } memset(&fbuf2, 0, sizeof(fbuf2)); set_v4l_control(inode, file, @@ -636,7 +658,6 @@ v4l_compat_translate_ioctl(struct inode *inode, * different pixel formats for memory vs overlay. */ - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; err = drv(inode, file, VIDIOC_G_FMT, fmt2); /* If VIDIOC_G_FMT failed, then the driver likely doesn't @@ -890,7 +911,11 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct video_mmap *mm = arg; - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } memset(&buf2,0,sizeof(buf2)); fmt2->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; @@ -986,7 +1011,11 @@ v4l_compat_translate_ioctl(struct inode *inode, { struct vbi_format *fmt = arg; - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE; err = drv(inode, file, VIDIOC_G_FMT, fmt2); @@ -1018,8 +1047,11 @@ v4l_compat_translate_ioctl(struct inode *inode, break; } - fmt2 = kzalloc(sizeof(*fmt2),GFP_KERNEL); - + fmt2 = kzalloc(sizeof(*fmt2), GFP_KERNEL); + if (!fmt2) { + err = -ENOMEM; + break; + } fmt2->type = V4L2_BUF_TYPE_VBI_CAPTURE; fmt2->fmt.vbi.samples_per_line = fmt->samples_per_line; fmt2->fmt.vbi.sampling_rate = fmt->sampling_rate; |