summaryrefslogtreecommitdiff
path: root/drivers/media/v4l2-core
diff options
context:
space:
mode:
authorHans Verkuil <hverkuil@xs4all.nl>2014-07-18 12:15:21 +0400
committerMauro Carvalho Chehab <m.chehab@samsung.com>2014-07-22 07:42:32 +0400
commit958c7c7e65999c61af7da0812d2de12daa8fc29e (patch)
tree622f16bad8c727e091290c35c6764fa278a34efb /drivers/media/v4l2-core
parent12c78e665f96b3f73dc0b6a6190a4871fe526293 (diff)
downloadlinux-958c7c7e65999c61af7da0812d2de12daa8fc29e.tar.xz
[media] v4l2-ctrls: fix corner case in round-to-range code
If you have a maximum that is at the limit of what the type supports, and the step is > 1, then you can get wrap-around errors since the code assumes that the maximum that the type supports is ctrl->maximum + ctrl->step / 2. In practice this is always fine, but in artificially crafted ranges you will hit this bug. Since this is core code it should just work. This bug has always been there but since it doesn't cause problems in practice it was never noticed. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Diffstat (limited to 'drivers/media/v4l2-core')
-rw-r--r--drivers/media/v4l2-core/v4l2-ctrls.c17
1 files changed, 14 insertions, 3 deletions
diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c
index 1acc7aa9d7e2..004e7e82e1e0 100644
--- a/drivers/media/v4l2-core/v4l2-ctrls.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls.c
@@ -1295,11 +1295,19 @@ static void std_log(const struct v4l2_ctrl *ctrl)
}
}
-/* Round towards the closest legal value */
+/*
+ * Round towards the closest legal value. Be careful when we are
+ * close to the maximum range of the control type to prevent
+ * wrap-arounds.
+ */
#define ROUND_TO_RANGE(val, offset_type, ctrl) \
({ \
offset_type offset; \
- val += (ctrl)->step / 2; \
+ if ((ctrl)->maximum >= 0 && \
+ val >= (ctrl)->maximum - ((ctrl)->step / 2)) \
+ val = (ctrl)->maximum; \
+ else \
+ val += (ctrl)->step / 2; \
val = clamp_t(typeof(val), val, \
(ctrl)->minimum, (ctrl)->maximum); \
offset = (val) - (ctrl)->minimum; \
@@ -1325,7 +1333,10 @@ static int std_validate(const struct v4l2_ctrl *ctrl, u32 idx,
* the u64 divide that needs special care.
*/
val = ptr.p_s64[idx];
- val += ctrl->step / 2;
+ if (ctrl->maximum >= 0 && val >= ctrl->maximum - ctrl->step / 2)
+ val = ctrl->maximum;
+ else
+ val += ctrl->step / 2;
val = clamp_t(s64, val, ctrl->minimum, ctrl->maximum);
offset = val - ctrl->minimum;
do_div(offset, ctrl->step);