From dcf473889815a80134719160503fe9dfe846ed2c Mon Sep 17 00:00:00 2001 From: Sophia Giannikakis Date: Mon, 21 Oct 2019 15:36:07 +0200 Subject: video cache wrap-around check added --- ChangeLog | 5 +++++ o3000.c | 9 +-------- o3000.h | 3 ++- o3000_private.h | 7 +++++++ o3000_xfer_handler.c | 9 +++++++++ 5 files changed, 24 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index f1ec48c..afab5af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,11 @@ - ChangeLog O-3000 Host Driver ------------------------------------------------------------------------------- +Version 2.0.3 + 2019-09-25 - SP + * Added "paranoia check" for wraparound_chunk_size check in handle_transfer(). + * Moved macro definition of MAX_IMAGE_SIZE from o3000.c to o3000_private.h. + Version 2.0.2 2018-04-11-PR * Function handle_transfer() rewritten: diff --git a/o3000.c b/o3000.c index 16b355f..89e6299 100644 --- a/o3000.c +++ b/o3000.c @@ -254,16 +254,9 @@ or a transfer may contain several frames. #define XML_IN_BUF_SIZE 16384 -/** - * Maximum image size ever expected. - * - * @note The size must be a multiple of 512 bytes! - */ -#define MAX_IMAGE_SIZE (1280*964*2+IMAGE_HEADER_SIZE) - /** * Minimum video cache size. - * It's the double of the maximum image size ever expected. + * It's equal to the maximum image size which would appear. */ #define MIN_VIDEO_CACHE_SIZE (MAX_IMAGE_SIZE) diff --git a/o3000.h b/o3000.h index 8b297a6..274956e 100644 --- a/o3000.h +++ b/o3000.h @@ -36,7 +36,8 @@ /** * O-3000 library version */ -#define O3000_VERSION "2.0.2" +#define O3000_VERSION "2.0.3" + #define O3000_VID 0x0483 ///< O3000 vendor ID #define O3000_PID 0xA098 ///< O3000 product ID diff --git a/o3000_private.h b/o3000_private.h index d6e3490..fb55ecf 100644 --- a/o3000_private.h +++ b/o3000_private.h @@ -40,6 +40,13 @@ #define FALSE 0 ///< FALSE value must be 0 +/** + * Maximum image size ever expected. + * + * @note The size must be a multiple of 512 bytes! + */ +#define MAX_IMAGE_SIZE (1280*964*2+IMAGE_HEADER_SIZE) + /** * Image frame synchronization state diff --git a/o3000_xfer_handler.c b/o3000_xfer_handler.c index 0d3897b..d0cc73b 100644 --- a/o3000_xfer_handler.c +++ b/o3000_xfer_handler.c @@ -150,6 +150,15 @@ void handle_transfer(struct o3000_session_t *session, uint8_t *addr, int len) { * to the video cache. */ wraparound_chunk_size = session->frame_size - (session->frame_buf - session->frame_start); + if(wraparound_chunk_size < 0 || wraparound_chunk_size > MAX_IMAGE_SIZE) { + /* + * Paranoia check: + * Ensure that the wraparound_chunk_size is always positive and does not exceed the end of the frame_buf. + * (Cases were noticed where the wraparound_chunk_size becomes negative.) + */ + session->frame_state = IMG_FRAME_STATE_NOSYNC; + return; + } o3000_log(session, O3000_LOG_DEBUG, "%s: wrap-around, copy %d bytes to frame buffer\n", __func__, wraparound_chunk_size); memcpy(session->frame_buf, session->video_cache, wraparound_chunk_size); } -- cgit v1.2.1