This is an automated email from the ASF dual-hosted git repository. pkarashchenko pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git
commit b296494fb85cddc111a1fcac46a644c68e844a0b Author: SPRESENSE <[email protected]> AuthorDate: Tue Mar 29 11:11:40 2022 +0900 drivers/video: Avoid additional overflow cases Add clip size validation to avoid additional overflow. --- drivers/video/video.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/video/video.c b/drivers/video/video.c index ac3fd47687..0826c97b60 100644 --- a/drivers/video/video.c +++ b/drivers/video/video.c @@ -1324,6 +1324,16 @@ static int video_cancel_dqbuf(FAR struct video_mng_s *vmng, return OK; } +static bool validate_clip_range(int32_t pos, uint32_t c_sz, uint16_t frm_sz) +{ + if ((pos < 0) || (c_sz > frm_sz) || (pos + c_sz > frm_sz)) + { + return false; + } + + return true; +} + static bool validate_clip_setting(FAR struct v4l2_rect *clip, FAR video_format_t *fmt) { @@ -1333,10 +1343,8 @@ static bool validate_clip_setting(FAR struct v4l2_rect *clip, /* Not permit the setting which do not fit inside frame size. */ - if ((clip->left < 0) || - (clip->top < 0) || - (clip->left + clip->width > fmt->width) || - (clip->top + clip->height > fmt->height)) + if (!validate_clip_range(clip->left, clip->width, fmt->width) || + !validate_clip_range(clip->top, clip->height, fmt->height)) { ret = false; }
