commit fe988f56c7c1bff52a4c26164ceb3dbd582de433
author Jean-François Moine <moinejf@free.fr> Thu Jul 29 02:46:02 2010 -0300
committer Mauro Carvalho Chehab <mchehab@redhat.com> Sun Aug 08 23:43:01 2010 -0300
tree 175a6f05a609ab852a257457bf41912be7ca9105
parent 5fd8f7388c9a8601c2dbe0da458df602fe427e83

V4L/DVB: gspca - main: Fix a crash in gspca_frame_add()

Some webcams as ov511 may find many times an end of image.
In this case, with the last patch in image concatenation
(commit 799b1bd41f398054d46fd35f73abd01c4009f6ca),
the image pointer was NULL and the system crashed in memcpy().

Signed-off-by: Jean-François Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

drivers/media/video/gspca/gspca.c

diff --git a/drivers/media/video/gspca/gspca.c b/drivers/media/video/gspca/gspca.c
index 0004469..b984610 100644
--- a/drivers/media/video/gspca/gspca.c
+++ b/drivers/media/video/gspca/gspca.c
@@ -440,10 +440,15 @@
 		frame->v4l2_buf.sequence = ++gspca_dev->sequence;
 		gspca_dev->image = frame->data;
 		gspca_dev->image_len = 0;
-	} else if (gspca_dev->last_packet_type == DISCARD_PACKET) {
-		if (packet_type == LAST_PACKET)
-			gspca_dev->last_packet_type = packet_type;
-		return;
+	} else {
+		switch (gspca_dev->last_packet_type) {
+		case DISCARD_PACKET:
+			if (packet_type == LAST_PACKET)
+				gspca_dev->last_packet_type = packet_type;
+			return;
+		case LAST_PACKET:
+			return;
+		}
 	}
 
 	/* append the packet to the frame buffer */
@@ -454,6 +459,12 @@
 				gspca_dev->frsz);
 			packet_type = DISCARD_PACKET;
 		} else {
+/* !! image is NULL only when last pkt is LAST or DISCARD
+			if (gspca_dev->image == NULL) {
+				err("gspca_frame_add() image == NULL");
+				return;
+			}
+ */
 			memcpy(gspca_dev->image + gspca_dev->image_len,
 				data, len);
 			gspca_dev->image_len += len;