From ed1da130a6ebe7e7c8485668758ca3f96c413672 Mon Sep 17 00:00:00 2001
From: Nikhil Devshatwar <nikhil.nd@ti.com>
Date: Thu, 19 Jun 2014 15:26:37 +0530
Subject: [PATCH] media: vb2: verify data_offset only if nonzero bytesused

verify_planes would fail if the user space fills up the data_offset field
and bytesused is left as zero. Correct this.
When comparing data_offset > bytesused, bypass the check if the
bytesused field is set to zero.

Change-Id: I4c63bc03f6d455ce00a56d63df08c624579bc831
Signed-off-by: Nikhil Devshatwar <nikhil.nd@ti.com>
---
 drivers/media/v4l2-core/videobuf2-core.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index 1a59e26..13f68b7 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -394,12 +394,9 @@ static int __verify_length(struct vb2_buffer *vb, const struct v4l2_buffer *b)
 			       ? b->m.planes[plane].length
 			       : vb->v4l2_planes[plane].length;
 
-			if (b->m.planes[plane].bytesused > length)
-				return -EINVAL;
-
-			if (b->m.planes[plane].data_offset > 0 &&
-			    b->m.planes[plane].data_offset >=
-			    b->m.planes[plane].bytesused)
+			if (b->m.planes[plane].bytesused > 0 &&
+			    b->m.planes[plane].data_offset +
+			    b->m.planes[plane].bytesused > length)
 				return -EINVAL;
 		}
 	} else {
-- 
1.9.1