[PATCH v4 3/4] media: v4l2-ctrl: Validate VP8 stateless decoder controls
From: Ezequiel Garcia
Date: Thu Jul 11 2019 - 16:27:16 EST
Only one field needs to be validated: 'num_dct_parts'.
This field is used to iterate over the user-provided array
'dct_part_sizes'.
Signed-off-by: Ezequiel Garcia <ezequiel@xxxxxxxxxxxxx>
---
Changes from v3:
* Zero padding fields, as pointed out by Hans.
Changes from v2:
* New patch
---
drivers/media/v4l2-core/v4l2-ctrls.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c
index b2c9f5816c4a..055558ed6322 100644
--- a/drivers/media/v4l2-core/v4l2-ctrls.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls.c
@@ -1633,10 +1633,15 @@ static void std_log(const struct v4l2_ctrl *ctrl)
})
/* Validate a new control */
+
+#define zero_padding(s) \
+ memset(&s.padding, 0, sizeof(s.padding))
+
static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx,
union v4l2_ctrl_ptr ptr)
{
struct v4l2_ctrl_mpeg2_slice_params *p_mpeg2_slice_params;
+ struct v4l2_ctrl_vp8_frame_header *p_vp8_frame_header;
void *p = ptr.p + idx * ctrl->elem_size;
switch ((u32)ctrl->type) {
@@ -1696,6 +1701,22 @@ static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx,
break;
case V4L2_CTRL_TYPE_VP8_FRAME_HEADER:
+ p_vp8_frame_header = p;
+
+ switch (p_vp8_frame_header->num_dct_parts) {
+ case 1:
+ case 2:
+ case 4:
+ case 8:
+ break;
+ default:
+ return -EINVAL;
+ }
+ zero_padding(p_vp8_frame_header->segment_header);
+ zero_padding(p_vp8_frame_header->lf_header);
+ zero_padding(p_vp8_frame_header->quant_header);
+ zero_padding(p_vp8_frame_header->entropy_header);
+ zero_padding(p_vp8_frame_header->coder_state);
break;
default:
return -EINVAL;
--
2.20.1