summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--drivers/media/video/v4l2-ioctl.c6
-rw-r--r--include/linux/videodev2.h1
2 files changed, 7 insertions, 0 deletions
diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c
index 265bfb537fb7..d7332c758064 100644
--- a/drivers/media/video/v4l2-ioctl.c
+++ b/drivers/media/video/v4l2-ioctl.c
@@ -414,6 +414,9 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
p->error_idx = p->count;
user_ptr = (void __user *)p->controls;
if (p->count) {
+ err = -EINVAL;
+ if (p->count > V4L2_CID_MAX_CTRLS)
+ goto out_ext_ctrl;
ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
mbuf = kmalloc(ctrls_size, GFP_KERNEL);
@@ -1912,6 +1915,9 @@ long video_ioctl2(struct file *file,
p->error_idx = p->count;
user_ptr = (void __user *)p->controls;
if (p->count) {
+ err = -EINVAL;
+ if (p->count > V4L2_CID_MAX_CTRLS)
+ goto out_ext_ctrl;
ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
/* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
mbuf = kmalloc(ctrls_size, GFP_KERNEL);
diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h
index b59e78c57161..9e2088cb43c2 100644
--- a/include/linux/videodev2.h
+++ b/include/linux/videodev2.h
@@ -858,6 +858,7 @@ struct v4l2_querymenu {
#define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000
/* User-class control IDs defined by V4L2 */
+#define V4L2_CID_MAX_CTRLS 1024
#define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900)
#define V4L2_CID_USER_BASE V4L2_CID_BASE
/* IDs reserved for driver specific controls */