From 3610f58bb1d545fe3f3767ec8ca3251383e9c728 Mon Sep 17 00:00:00 2001 From: Frank Schaefer Date: Sun, 25 Nov 2012 06:37:33 -0300 Subject: [PATCH] [media] em28xx: make sure the packet size is >= 4 before checking for headers in em28xx_urb_data_copy_vbi() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Frank Schäfer Signed-off-by: Mauro Carvalho Chehab --- drivers/media/usb/em28xx/em28xx-video.c | 45 +++++++++++++------------ 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c index fec8847e84d8..da31fd495466 100644 --- a/drivers/media/usb/em28xx/em28xx-video.c +++ b/drivers/media/usb/em28xx/em28xx-video.c @@ -576,7 +576,7 @@ static inline int em28xx_urb_data_copy_vbi(struct em28xx *dev, struct urb *urb) urb->iso_frame_desc[i].offset; } - if (actual_length <= 0) { + if (actual_length == 0) { /* NOTE: happens very often with isoc transfers */ /* em28xx_usbdbg("packet %d is empty",i); - spammy */ continue; @@ -585,27 +585,30 @@ static inline int em28xx_urb_data_copy_vbi(struct em28xx *dev, struct urb *urb) /* capture type 0 = vbi start capture type 1 = video start capture type 2 = video in progress */ - if (p[0] == 0x33 && p[1] == 0x95) { - dev->capture_type = 0; - dev->vbi_read = 0; - em28xx_isocdbg("VBI START HEADER!!!\n"); - dev->cur_field = p[2]; - p += 4; - len = actual_length - 4; - } else if (p[0] == 0x88 && p[1] == 0x88 && - p[2] == 0x88 && p[3] == 0x88) { - /* continuation */ - p += 4; - len = actual_length - 4; - } else if (p[0] == 0x22 && p[1] == 0x5a) { - /* start video */ - p += 4; - len = actual_length - 4; - } else { - /* NOTE: With bulk transfers, intermediate data packets - * have no continuation header */ - len = actual_length; + len = actual_length; + if (len >= 4) { + /* NOTE: headers are always 4 bytes and + * never split across packets */ + if (p[0] == 0x33 && p[1] == 0x95) { + dev->capture_type = 0; + dev->vbi_read = 0; + em28xx_isocdbg("VBI START HEADER!!!\n"); + dev->cur_field = p[2]; + p += 4; + len -= 4; + } else if (p[0] == 0x88 && p[1] == 0x88 && + p[2] == 0x88 && p[3] == 0x88) { + /* continuation */ + p += 4; + len -= 4; + } else if (p[0] == 0x22 && p[1] == 0x5a) { + /* start video */ + p += 4; + len -= 4; + } } + /* NOTE: with bulk transfers, intermediate data packets + * have no continuation header */ vbi_size = dev->vbi_width * dev->vbi_height; -- 2.34.1