From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Sakari Ailus <sakari.ailus@linux.intel.com>,
Hans Verkuil <hans.verkuil@cisco.com>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Janusz Krzysztofik <jmkrzyszt@gmail.com>
Subject: [PATCH 06/14] media: ov6650: Fix unverified pad IDs accepted by .get/set_selectioon()
Date: Mon, 8 Apr 2019 23:42:34 +0200 [thread overview]
Message-ID: <20190408214242.9603-7-jmkrzyszt@gmail.com> (raw)
In-Reply-To: <20190408214242.9603-1-jmkrzyszt@gmail.com>
Commit 10d5509c8d50 ("[media] v4l2: remove g/s_crop from video ops")
converted former ov6650_g/s_crop() video operation callbacks to
ov6650_get/set_selection() pad operation callbacks. However, the new
functions don't verify correctness of pad IDs passed in user arguments.
Fix it.
Even if pad ID arguments are not actually used in those functions,
assumed to be 0, always return -EINVAL if an operation on an invalid
(non-zero) pad is requested by a user.
Fixes: 10d5509c8d50 ("[media] v4l2: remove g/s_crop from video ops")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Cc: stable@vger.kernel.org
---
drivers/media/i2c/ov6650.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c
index d72fcf56930a..5df81dec06ae 100644
--- a/drivers/media/i2c/ov6650.c
+++ b/drivers/media/i2c/ov6650.c
@@ -444,6 +444,9 @@ static int ov6650_get_selection(struct v4l2_subdev *sd,
struct i2c_client *client = v4l2_get_subdevdata(sd);
struct ov6650 *priv = to_ov6650(client);
+ if (sel->pad)
+ return -EINVAL;
+
if (sel->which != V4L2_SUBDEV_FORMAT_ACTIVE)
return -EINVAL;
@@ -471,6 +474,9 @@ static int ov6650_set_selection(struct v4l2_subdev *sd,
struct v4l2_rect rect = sel->r;
int ret;
+ if (sel->pad)
+ return -EINVAL;
+
if (sel->which != V4L2_SUBDEV_FORMAT_ACTIVE ||
sel->target != V4L2_SEL_TGT_CROP)
return -EINVAL;
--
2.21.0
next prev parent reply other threads:[~2019-04-08 21:43 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-08 21:42 [PATCH 00/14] media: ov6650: A collection of fixes Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 01/14] media: ov6650: Fix MODDULE_DESCRIPTION Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 02/14] media: ov6650: Fix control handler not freed on init error Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 03/14] media: ov6650: Fix unverified arguments used in .set_fmt() Janusz Krzysztofik
2019-04-30 13:58 ` Sakari Ailus
2019-05-07 23:33 ` Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 04/14] media: ov6650: Fix unverified arguments accepted by .get_fmt() Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 05/14] media: ov6650: Fix unverified arguments accepted by .enum_mbus_code() Janusz Krzysztofik
2019-04-08 21:42 ` Janusz Krzysztofik [this message]
2019-04-08 21:42 ` [PATCH 07/14] media: ov6650: Fix unverified pad IDs accepted by .g/s_frame_interval() Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 08/14] media: ov6650: Fix crop rectangle alignment not passed back Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 09/14] media: ov6650: Fix incorrect use of JPEG colorspace Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 10/14] media: ov6650: Fix some format attributes not under control Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 11/14] media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 12/14] media: ov6650: Fix default format not applied on device probe Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 13/14] media: ov6650: Fix stored frame format not in sync with hardware Janusz Krzysztofik
2019-04-08 21:42 ` [PATCH 14/14] media: ov6650: Fix stored crop rectangle " Janusz Krzysztofik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190408214242.9603-7-jmkrzyszt@gmail.com \
--to=jmkrzyszt@gmail.com \
--cc=hans.verkuil@cisco.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=sakari.ailus@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.