summaryrefslogtreecommitdiff
path: root/drivers/media
diff options
context:
space:
mode:
authorJean-François Moine <moinejf@free.fr>2010-07-29 09:46:02 +0400
committerMauro Carvalho Chehab <mchehab@redhat.com>2010-08-09 06:43:01 +0400
commitfe988f56c7c1bff52a4c26164ceb3dbd582de433 (patch)
tree175a6f05a609ab852a257457bf41912be7ca9105 /drivers/media
parent5fd8f7388c9a8601c2dbe0da458df602fe427e83 (diff)
downloadlinux-fe988f56c7c1bff52a4c26164ceb3dbd582de433.tar.xz
V4L/DVB: gspca - main: Fix a crash in gspca_frame_add()
Some webcams as ov511 may find many times an end of image. In this case, with the last patch in image concatenation (commit 799b1bd41f398054d46fd35f73abd01c4009f6ca), the image pointer was NULL and the system crashed in memcpy(). Signed-off-by: Jean-François Moine <moinejf@free.fr> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media')
-rw-r--r--drivers/media/video/gspca/gspca.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/drivers/media/video/gspca/gspca.c b/drivers/media/video/gspca/gspca.c
index 0004469691cc..b9846106913e 100644
--- a/drivers/media/video/gspca/gspca.c
+++ b/drivers/media/video/gspca/gspca.c
@@ -440,10 +440,15 @@ void gspca_frame_add(struct gspca_dev *gspca_dev,
frame->v4l2_buf.sequence = ++gspca_dev->sequence;
gspca_dev->image = frame->data;
gspca_dev->image_len = 0;
- } else if (gspca_dev->last_packet_type == DISCARD_PACKET) {
- if (packet_type == LAST_PACKET)
- gspca_dev->last_packet_type = packet_type;
- return;
+ } else {
+ switch (gspca_dev->last_packet_type) {
+ case DISCARD_PACKET:
+ if (packet_type == LAST_PACKET)
+ gspca_dev->last_packet_type = packet_type;
+ return;
+ case LAST_PACKET:
+ return;
+ }
}
/* append the packet to the frame buffer */
@@ -454,6 +459,12 @@ void gspca_frame_add(struct gspca_dev *gspca_dev,
gspca_dev->frsz);
packet_type = DISCARD_PACKET;
} else {
+/* !! image is NULL only when last pkt is LAST or DISCARD
+ if (gspca_dev->image == NULL) {
+ err("gspca_frame_add() image == NULL");
+ return;
+ }
+ */
memcpy(gspca_dev->image + gspca_dev->image_len,
data, len);
gspca_dev->image_len += len;