From 068a0df76023926af958a336a78bef60468d2033 Mon Sep 17 00:00:00 2001
From: Seung-Woo Kim <sw0312.kim@samsung.com>
Date: Thu, 11 Apr 2013 23:57:57 -0300
Subject: [PATCH] [media] media: vb2: add length check for mmap

The length of mmap() can be bigger than length of vb2 buffer, so
it should be checked.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
 drivers/media/v4l2-core/videobuf2-core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index 02bb5e7..58c1744 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
 
 	vb = q->bufs[buffer];
 
+	if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) {
+		dprintk(1, "Invalid length\n");
+		return -EINVAL;
+	}
+
 	ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma);
 	if (ret)
 		return ret;
-- 
2.7.4