* [PATCH] [media] saa7146: check return value of saa7146_format_by_fourcc() to avoid NULL pointer
@ 2014-01-06 12:41 Ethan Zhao
2014-01-10 13:05 ` Hans Verkuil
2014-01-10 15:21 ` Hans Verkuil
0 siblings, 2 replies; 3+ messages in thread
From: Ethan Zhao @ 2014-01-06 12:41 UTC (permalink / raw)
To: hans.verkuil, m.chehab, gregkh; +Cc: linux-kernel, Ethan Zhao
Function saa7146_format_by_fourcc() may return NULL, reference of the returned
result would cause NULL pointer issue without checking.
Signed-off-by: Ethan Zhao <ethan.kernel@gmail.com>
---
drivers/media/common/saa7146/saa7146_hlp.c | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_hlp.c b/drivers/media/common/saa7146/saa7146_hlp.c
index be746d1..1c9518b 100644
--- a/drivers/media/common/saa7146/saa7146_hlp.c
+++ b/drivers/media/common/saa7146/saa7146_hlp.c
@@ -575,6 +575,7 @@ static void saa7146_set_position(struct saa7146_dev *dev, int w_x, int w_y, int
*/
u32 base = (u32)(unsigned long)vv->ov_fb.base;
+ int which = 1;
struct saa7146_video_dma vdma1;
/* calculate memory offsets for picture, look if we shall top-down-flip */
@@ -608,10 +609,14 @@ static void saa7146_set_position(struct saa7146_dev *dev, int w_x, int w_y, int
vdma1.pitch *= -1;
}
- vdma1.base_page = sfmt->swap;
+ if (sfmt)
+ vdma1.base_page = sfmt->swap;
+ else
+ which = 0;
+
vdma1.num_line_byte = (vv->standard->v_field<<16)+vv->standard->h_pixels;
- saa7146_write_out_dma(dev, 1, &vdma1);
+ saa7146_write_out_dma(dev, which, &vdma1);
}
static void saa7146_set_output_format(struct saa7146_dev *dev, unsigned long palette)
@@ -713,7 +718,12 @@ static int calculate_video_dma_grab_packed(struct saa7146_dev* dev, struct saa71
int bytesperline = buf->fmt->bytesperline;
enum v4l2_field field = buf->fmt->field;
- int depth = sfmt->depth;
+ int depth;
+
+ if (sfmt)
+ depth = sfmt->depth;
+ else
+ return -EINVAL;
DEB_CAP("[size=%dx%d,fields=%s]\n",
width, height, v4l2_field_names[field]);
@@ -837,6 +847,9 @@ static int calculate_video_dma_grab_planar(struct saa7146_dev* dev, struct saa71
int height = buf->fmt->height;
enum v4l2_field field = buf->fmt->field;
+ if (!sfmt)
+ return -EINVAL;
+
BUG_ON(0 == buf->pt[0].dma);
BUG_ON(0 == buf->pt[1].dma);
BUG_ON(0 == buf->pt[2].dma);
@@ -1004,6 +1017,9 @@ void saa7146_set_capture(struct saa7146_dev *dev, struct saa7146_buf *buf, struc
DEB_CAP("buf:%p, next:%p\n", buf, next);
+ if (!sfmt)
+ return;
+
vdma1_prot_addr = saa7146_read(dev, PROT_ADDR1);
if( 0 == vdma1_prot_addr ) {
/* clear out beginning of streaming bit (rps register 0)*/
--
1.8.3.4 (Apple Git-47)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] [media] saa7146: check return value of saa7146_format_by_fourcc() to avoid NULL pointer
2014-01-06 12:41 [PATCH] [media] saa7146: check return value of saa7146_format_by_fourcc() to avoid NULL pointer Ethan Zhao
@ 2014-01-10 13:05 ` Hans Verkuil
2014-01-10 15:21 ` Hans Verkuil
1 sibling, 0 replies; 3+ messages in thread
From: Hans Verkuil @ 2014-01-10 13:05 UTC (permalink / raw)
To: Ethan Zhao; +Cc: hans.verkuil, m.chehab, gregkh, linux-media
Ethan,
FYI: please post such media patches to the linux-media mailinglist in the future.
That way they will be picked up by patchwork and it makes handling them a lot easier.
I'm CC-ing that mailinglist in this reply so everyone can take a look at this patch.
Regards,
Hans
On 01/06/14 13:41, Ethan Zhao wrote:
> Function saa7146_format_by_fourcc() may return NULL, reference of the returned
> result would cause NULL pointer issue without checking.
>
> Signed-off-by: Ethan Zhao <ethan.kernel@gmail.com>
> ---
> drivers/media/common/saa7146/saa7146_hlp.c | 22 +++++++++++++++++++---
> 1 file changed, 19 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/media/common/saa7146/saa7146_hlp.c b/drivers/media/common/saa7146/saa7146_hlp.c
> index be746d1..1c9518b 100644
> --- a/drivers/media/common/saa7146/saa7146_hlp.c
> +++ b/drivers/media/common/saa7146/saa7146_hlp.c
> @@ -575,6 +575,7 @@ static void saa7146_set_position(struct saa7146_dev *dev, int w_x, int w_y, int
> */
> u32 base = (u32)(unsigned long)vv->ov_fb.base;
>
> + int which = 1;
> struct saa7146_video_dma vdma1;
>
> /* calculate memory offsets for picture, look if we shall top-down-flip */
> @@ -608,10 +609,14 @@ static void saa7146_set_position(struct saa7146_dev *dev, int w_x, int w_y, int
> vdma1.pitch *= -1;
> }
>
> - vdma1.base_page = sfmt->swap;
> + if (sfmt)
> + vdma1.base_page = sfmt->swap;
> + else
> + which = 0;
> +
> vdma1.num_line_byte = (vv->standard->v_field<<16)+vv->standard->h_pixels;
>
> - saa7146_write_out_dma(dev, 1, &vdma1);
> + saa7146_write_out_dma(dev, which, &vdma1);
> }
>
> static void saa7146_set_output_format(struct saa7146_dev *dev, unsigned long palette)
> @@ -713,7 +718,12 @@ static int calculate_video_dma_grab_packed(struct saa7146_dev* dev, struct saa71
> int bytesperline = buf->fmt->bytesperline;
> enum v4l2_field field = buf->fmt->field;
>
> - int depth = sfmt->depth;
> + int depth;
> +
> + if (sfmt)
> + depth = sfmt->depth;
> + else
> + return -EINVAL;
>
> DEB_CAP("[size=%dx%d,fields=%s]\n",
> width, height, v4l2_field_names[field]);
> @@ -837,6 +847,9 @@ static int calculate_video_dma_grab_planar(struct saa7146_dev* dev, struct saa71
> int height = buf->fmt->height;
> enum v4l2_field field = buf->fmt->field;
>
> + if (!sfmt)
> + return -EINVAL;
> +
> BUG_ON(0 == buf->pt[0].dma);
> BUG_ON(0 == buf->pt[1].dma);
> BUG_ON(0 == buf->pt[2].dma);
> @@ -1004,6 +1017,9 @@ void saa7146_set_capture(struct saa7146_dev *dev, struct saa7146_buf *buf, struc
>
> DEB_CAP("buf:%p, next:%p\n", buf, next);
>
> + if (!sfmt)
> + return;
> +
> vdma1_prot_addr = saa7146_read(dev, PROT_ADDR1);
> if( 0 == vdma1_prot_addr ) {
> /* clear out beginning of streaming bit (rps register 0)*/
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] [media] saa7146: check return value of saa7146_format_by_fourcc() to avoid NULL pointer
2014-01-06 12:41 [PATCH] [media] saa7146: check return value of saa7146_format_by_fourcc() to avoid NULL pointer Ethan Zhao
2014-01-10 13:05 ` Hans Verkuil
@ 2014-01-10 15:21 ` Hans Verkuil
1 sibling, 0 replies; 3+ messages in thread
From: Hans Verkuil @ 2014-01-10 15:21 UTC (permalink / raw)
To: Ethan Zhao; +Cc: hans.verkuil, m.chehab, gregkh, Linux Media Mailing List
Hi Ethan,
On 01/06/2014 01:41 PM, Ethan Zhao wrote:
> Function saa7146_format_by_fourcc() may return NULL, reference of the returned
> result would cause NULL pointer issue without checking.
>
> Signed-off-by: Ethan Zhao <ethan.kernel@gmail.com>
> ---
> drivers/media/common/saa7146/saa7146_hlp.c | 22 +++++++++++++++++++---
> 1 file changed, 19 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/media/common/saa7146/saa7146_hlp.c b/drivers/media/common/saa7146/saa7146_hlp.c
> index be746d1..1c9518b 100644
> --- a/drivers/media/common/saa7146/saa7146_hlp.c
> +++ b/drivers/media/common/saa7146/saa7146_hlp.c
> @@ -575,6 +575,7 @@ static void saa7146_set_position(struct saa7146_dev *dev, int w_x, int w_y, int
> */
> u32 base = (u32)(unsigned long)vv->ov_fb.base;
>
> + int which = 1;
> struct saa7146_video_dma vdma1;
>
> /* calculate memory offsets for picture, look if we shall top-down-flip */
> @@ -608,10 +609,14 @@ static void saa7146_set_position(struct saa7146_dev *dev, int w_x, int w_y, int
> vdma1.pitch *= -1;
> }
>
> - vdma1.base_page = sfmt->swap;
> + if (sfmt)
> + vdma1.base_page = sfmt->swap;
> + else
> + which = 0;
I wouldn't do this. If sfmt == NULL, then just return and do nothing. Unless there
is some reason for calling saa7146_write_out_dma() anyway that I don't get?
If sfmt == NULL when you get here, then something is seriously wrong in any case.
> vdma1.num_line_byte = (vv->standard->v_field<<16)+vv->standard->h_pixels;
>
> - saa7146_write_out_dma(dev, 1, &vdma1);
> + saa7146_write_out_dma(dev, which, &vdma1);
> }
>
> static void saa7146_set_output_format(struct saa7146_dev *dev, unsigned long palette)
> @@ -713,7 +718,12 @@ static int calculate_video_dma_grab_packed(struct saa7146_dev* dev, struct saa71
> int bytesperline = buf->fmt->bytesperline;
> enum v4l2_field field = buf->fmt->field;
>
> - int depth = sfmt->depth;
> + int depth;
> +
> + if (sfmt)
> + depth = sfmt->depth;
> + else
> + return -EINVAL;
I prefer this the other way around:
if (!sfmt)
return -EINVAL;
depth = sfmt->depth;
It's slightly shorter and saves one indent.
>
> DEB_CAP("[size=%dx%d,fields=%s]\n",
> width, height, v4l2_field_names[field]);
> @@ -837,6 +847,9 @@ static int calculate_video_dma_grab_planar(struct saa7146_dev* dev, struct saa71
> int height = buf->fmt->height;
> enum v4l2_field field = buf->fmt->field;
>
> + if (!sfmt)
> + return -EINVAL;
> +
> BUG_ON(0 == buf->pt[0].dma);
> BUG_ON(0 == buf->pt[1].dma);
> BUG_ON(0 == buf->pt[2].dma);
> @@ -1004,6 +1017,9 @@ void saa7146_set_capture(struct saa7146_dev *dev, struct saa7146_buf *buf, struc
>
> DEB_CAP("buf:%p, next:%p\n", buf, next);
>
> + if (!sfmt)
> + return;
> +
> vdma1_prot_addr = saa7146_read(dev, PROT_ADDR1);
> if( 0 == vdma1_prot_addr ) {
> /* clear out beginning of streaming bit (rps register 0)*/
>
Regards,
Hans
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-01-10 15:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-06 12:41 [PATCH] [media] saa7146: check return value of saa7146_format_by_fourcc() to avoid NULL pointer Ethan Zhao
2014-01-10 13:05 ` Hans Verkuil
2014-01-10 15:21 ` Hans Verkuil
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.