V4L/DVB: omap24xxcam: potential buffer overflow

The previous loop goes until last == VIDEO_MAX_FRAME, so this could potentially go one past the end of the loop. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

V4L/DVB: omap24xxcam: potential buffer overflow
The previous loop goes until last == VIDEO_MAX_FRAME, so this could potentially go one past the end of the loop. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2132deff · Dan Carpenter · Mauro Carvalho Chehab · 722154e4 · 2132deff
Commit 2132deff authored Mar 10, 2010 by Dan Carpenter Committed by Mauro Carvalho Chehab May 06, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/media/video/omap24xxcam.c drivers/media/video/omap24xxcam.c +1 -1

No files found.
--- a/drivers/media/video/omap24xxcam.c
+++ b/drivers/media/video/omap24xxcam.c
@@ -1405,7 +1405,7 @@ static int omap24xxcam_mmap_buffers(struct file *file,
 	}

 	size = 0;
-	for (i = first; i <= last; i++) {
+	for (i = first; i <= last && i < VIDEO_MAX_FRAME; i++) {
 		struct videobuf_dmabuf *dma = videobuf_to_dma(vbq->bufs[i]);

 		for (j = 0; j < dma->sglen; j++) {