From e84f749c02b7b7a6c97af9a1ba38aeb0a3dd800e Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Mardelle <jb@kdenlive.org>
Date: Wed, 9 Nov 2011 02:43:04 +0100
Subject: [PATCH] Fix buffer overflow caused by unexpected v4l output

---
 src/v4l/src.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/v4l/src.c b/src/v4l/src.c
index b265b989..5d7666fc 100644
--- a/src/v4l/src.c
+++ b/src/v4l/src.c
@@ -112,8 +112,9 @@ const char *query_v4ldevice(src_t *src, char **pixelformatdescription)
 
             while (ioctl(s->fd, VIDIOC_ENUM_FMT, &fmt) != -1)
             {
-                snprintf( value, sizeof(value), ">%c%c%c%c", fmt.pixelformat >> 0,  fmt.pixelformat >> 8, fmt.pixelformat >> 16, fmt.pixelformat >> 24 );
-                strcat(*pixelformatdescription, (char *) value);
+                if (strlen(*pixelformatdescription) > 2000) break;
+                if (snprintf( value, sizeof(value), ">%c%c%c%c", fmt.pixelformat >> 0,  fmt.pixelformat >> 8, fmt.pixelformat >> 16, fmt.pixelformat >> 24 ) > 0)
+                    strcat(*pixelformatdescription, (char *) value);
                 fprintf(stderr, "detected format: %s: %c%c%c%c\n", fmt.description, fmt.pixelformat >> 0,  fmt.pixelformat >> 8,
                       fmt.pixelformat >> 16, fmt.pixelformat >> 24);
 
@@ -127,12 +128,14 @@ const char *query_v4ldevice(src_t *src, char **pixelformatdescription)
                     rates.pixel_format = fmt.pixelformat;
                     rates.width = image_size.width;
                     rates.height = image_size.height;
-                    snprintf( value, sizeof(value), ":%dx%d=", image_size.width, image_size.height );
-                    strcat(*pixelformatdescription, (char *) value);
+                    if (strlen(*pixelformatdescription) > 2000) break;
+                    if (snprintf( value, sizeof(value), ":%dx%d=", image_size.width, image_size.height ) > 0)
+                        strcat(*pixelformatdescription, (char *) value);
                     fprintf(stderr, "Size: %dx%d: ", image_size.width, image_size.height);
                     while (ioctl(s->fd, VIDIOC_ENUM_FRAMEINTERVALS, &rates) != -1) {
-                        snprintf( value, sizeof(value), "%d/%d,", rates.un.discrete.denominator, rates.un.discrete.numerator );
-                        strcat(*pixelformatdescription, (char *) value);
+                        if (strlen(*pixelformatdescription) > 2000) break;
+                        if (snprintf( value, sizeof(value), "%d/%d,", rates.un.discrete.denominator, rates.un.discrete.numerator ) > 0)
+                            strcat(*pixelformatdescription, (char *) value);
                         fprintf(stderr, "%d/%d, ", rates.un.discrete.numerator, rates.un.discrete.denominator);
                         rates.index ++;
                     }
-- 
2.39.2