V4L/DVB (11573): uvcvideo: Prevent invormation loss with removing implicit casting

The uvcvideo driver supports only one input, which is input 0. For all
other input index the return value shall be EINVAL. This patch fixes the
problem when the value 0x80000000 was incorrectly casted and treated as
a zero value.

The patch was tested with v4l-test 0.10 [2] with CNF7129 webcam found on
EeePC 901.

References:
[1] V4L2 API specification, revision 0.24
    http://v4l2spec.bytesex.org/spec/r11217.htm

[2] v4l-test: Test environment for Video For Linux Two API
    http://v4l-test.sourceforge.net/

[Modified by Laurent Pinchart]

Invalid input value (u32)-1 would be accepted due to integer overflow. Make
sure the driver rejects it and returns -EINVAL.

Signed-off-by: Márton Németh <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Laurent Pinchart <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>

diff --git a/drivers/media/video/uvc/uvc_v4l2.c b/drivers/media/video/uvc/uvc_v4l2.c
index 2a80caa54fb42638d6808e8819a0fbb7c351e0aa..43b05a7ecdce84aa883249dab62043db227144a9 100644 (file)
--- a/drivers/media/video/uvc/uvc_v4l2.c
+++ b/drivers/media/video/uvc/uvc_v4l2.c
@@ -648,7 +648,7 @@ static long uvc_v4l2_do_ioctl(struct file *file, unsigned int cmd, void *arg)
 
        case VIDIOC_S_INPUT:
        {
-               u8 input = *(u32 *)arg + 1;
+               u32 input = *(u32 *)arg + 1;
 
                if ((ret = uvc_acquire_privileges(handle)) < 0)
                        return ret;
@@ -660,7 +660,7 @@ static long uvc_v4l2_do_ioctl(struct file *file, unsigned int cmd, void *arg)
                        break;
                }
 
-               if (input > video->selector->selector.bNrInPins)
+               if (input == 0 || input > video->selector->selector.bNrInPins)
                        return -EINVAL;
 
                return uvc_query_ctrl(video->dev, SET_CUR, video->selector->id,