* [PATCH] vivid: sanatize selection rectangle
@ 2015-03-15 16:42 Hans Verkuil
0 siblings, 0 replies; only message in thread
From: Hans Verkuil @ 2015-03-15 16:42 UTC (permalink / raw)
To: Linux Media Mailing List
Handle values like ~0 as width, height, left or top fields.
Just strip off the top 16 bits will ensure that the calculations
remain OK.
Found with v4l2-compliance.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
---
drivers/media/platform/vivid/vivid-vid-common.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/vivid/vivid-vid-common.c b/drivers/media/platform/vivid/vivid-vid-common.c
index 283b2e8..53f0c1d 100644
--- a/drivers/media/platform/vivid/vivid-vid-common.c
+++ b/drivers/media/platform/vivid/vivid-vid-common.c
@@ -694,6 +694,9 @@ int vivid_vid_adjust_sel(unsigned flags, struct v4l2_rect *r)
unsigned w = r->width;
unsigned h = r->height;
+ /* sanitize w and h in case someone passes ~0 as the value */
+ w &= 0xffff;
+ h &= 0xffff;
if (!(flags & V4L2_SEL_FLAG_LE)) {
w++;
h++;
@@ -718,8 +721,9 @@ int vivid_vid_adjust_sel(unsigned flags, struct v4l2_rect *r)
r->top = 0;
if (r->left < 0)
r->left = 0;
- r->left &= ~1;
- r->top &= ~1;
+ /* sanitize left and top in case someone passes ~0 as the value */
+ r->left &= 0xfffe;
+ r->top &= 0xfffe;
if (r->left + w > MAX_WIDTH)
r->left = MAX_WIDTH - w;
if (r->top + h > MAX_HEIGHT)
--
2.1.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2015-03-15 16:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-15 16:42 [PATCH] vivid: sanatize selection rectangle Hans Verkuil
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.