From b7866315a6c9004c5e0c201e55107ecd81951cdc Mon Sep 17 00:00:00 2001
From: Josep Torra <adn770@gmail.com>
Date: Tue, 31 May 2016 21:34:04 +0200
Subject: [PATCH] v4l2src: check for valid size on raw video buffers

Discard buffers that doesn't contain enough data when dealing
with raw video inputs.

https://bugzilla.gnome.org/show_bug.cgi?id=767086
---
 sys/v4l2/gstv4l2bufferpool.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/sys/v4l2/gstv4l2bufferpool.c b/sys/v4l2/gstv4l2bufferpool.c
index c9648e2..3184bd8 100644
--- a/sys/v4l2/gstv4l2bufferpool.c
+++ b/sys/v4l2/gstv4l2bufferpool.c
@@ -1725,14 +1725,23 @@ gst_v4l2_buffer_pool_process (GstV4l2BufferPool * pool, GstBuffer ** buf)
 
           if ((*buf)->pool == bpool) {
             guint num_queued;
+            gsize size = gst_buffer_get_size (*buf);
 
-            if (gst_buffer_get_size (*buf) == 0) {
+            if (size == 0) {
               if (GST_BUFFER_FLAG_IS_SET (*buf, GST_BUFFER_FLAG_CORRUPTED))
                 goto buffer_corrupted;
               else
                 goto eos;
             }
 
+            /* verify that buffer contains a full frame for raw video */
+            if (GST_VIDEO_INFO_FORMAT (&obj->info) != GST_VIDEO_FORMAT_ENCODED
+                && size < GST_VIDEO_INFO_SIZE (&obj->info)) {
+              GST_WARNING_OBJECT (pool, "Invalid buffer size, this is likely "
+                  "due to a bug in your driver, dropping");
+              goto buffer_corrupted;
+            }
+
             num_queued = g_atomic_int_get (&pool->num_queued);
             GST_TRACE_OBJECT (pool, "Only %i buffer left in the capture queue.",
                 num_queued);
-- 
2.7.4