From: Dan Carpenter <error27@gmail.com>
Date: Wed, 10 Mar 2010 10:57:03 +0000 (-0300)
Subject: V4L/DVB: omap24xxcam: potential buffer overflow
X-Git-Tag: v2.6.34-rc7~10^2~15
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2132deff694765bc2e6c7ac84c6b30dab0775256;p=platform%2Fupstream%2Fkernel-adaptation-pc.git

V4L/DVB: omap24xxcam: potential buffer overflow

The previous loop goes until last == VIDEO_MAX_FRAME, so this could
potentially go one past the end of the loop.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---

diff --git a/drivers/media/video/omap24xxcam.c b/drivers/media/video/omap24xxcam.c
index b189fe6..ce76d95 100644
--- a/drivers/media/video/omap24xxcam.c
+++ b/drivers/media/video/omap24xxcam.c
@@ -1405,7 +1405,7 @@ static int omap24xxcam_mmap_buffers(struct file *file,
 	}
 
 	size = 0;
-	for (i = first; i <= last; i++) {
+	for (i = first; i <= last && i < VIDEO_MAX_FRAME; i++) {
 		struct videobuf_dmabuf *dma = videobuf_to_dma(vbq->bufs[i]);
 
 		for (j = 0; j < dma->sglen; j++) {