From fe988f56c7c1bff52a4c26164ceb3dbd582de433 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jean-Fran=C3=A7ois=20Moine?= Date: Thu, 29 Jul 2010 02:46:02 -0300 Subject: [PATCH] V4L/DVB: gspca - main: Fix a crash in gspca_frame_add() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Some webcams as ov511 may find many times an end of image. In this case, with the last patch in image concatenation (commit 799b1bd41f398054d46fd35f73abd01c4009f6ca), the image pointer was NULL and the system crashed in memcpy(). Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab --- drivers/media/video/gspca/gspca.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/media/video/gspca/gspca.c b/drivers/media/video/gspca/gspca.c index 0004469691cc..b9846106913e 100644 --- a/drivers/media/video/gspca/gspca.c +++ b/drivers/media/video/gspca/gspca.c @@ -440,10 +440,15 @@ void gspca_frame_add(struct gspca_dev *gspca_dev, frame->v4l2_buf.sequence = ++gspca_dev->sequence; gspca_dev->image = frame->data; gspca_dev->image_len = 0; - } else if (gspca_dev->last_packet_type == DISCARD_PACKET) { - if (packet_type == LAST_PACKET) - gspca_dev->last_packet_type = packet_type; - return; + } else { + switch (gspca_dev->last_packet_type) { + case DISCARD_PACKET: + if (packet_type == LAST_PACKET) + gspca_dev->last_packet_type = packet_type; + return; + case LAST_PACKET: + return; + } } /* append the packet to the frame buffer */ @@ -454,6 +459,12 @@ void gspca_frame_add(struct gspca_dev *gspca_dev, gspca_dev->frsz); packet_type = DISCARD_PACKET; } else { +/* !! image is NULL only when last pkt is LAST or DISCARD + if (gspca_dev->image == NULL) { + err("gspca_frame_add() image == NULL"); + return; + } + */ memcpy(gspca_dev->image + gspca_dev->image_len, data, len); gspca_dev->image_len += len; -- 2.34.1