Commit ebcff5fce6b1 ("[media] v4l2: replace enum_mbus_fmt by
enum_mbus_code") converted a former ov6650_enum_fmt() video operation
callback to an ov6650_enum_mbus_fmt() pad operation callback. However,
the function dees not verify correctness of code->which flag and pad
config pointer arguments. Fix it.
Even if the function has no need to dereference the pad config pointer
argument, return -EINVAL if it is NULL on V4L2_SUBDEV_FORMAT_TRY.
Fixes: ebcff5fce6b1 ("[media] v4l2: replace enum_mbus_fmt by enum_mbus_code")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
drivers/media/i2c/ov6650.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c
index 5c1738c5a847..d72fcf56930a 100644
--- a/drivers/media/i2c/ov6650.c
+++ b/drivers/media/i2c/ov6650.c
@@ -737,7 +737,21 @@ static int ov6650_enum_mbus_code(struct v4l2_subdev *sd,
struct v4l2_subdev_pad_config *cfg,
struct v4l2_subdev_mbus_code_enum *code)
{
- if (code->pad || code->index >= ARRAY_SIZE(ov6650_codes))
+ if (code->pad)
+ return -EINVAL;
+
+ switch (code->which) {
+ case V4L2_SUBDEV_FORMAT_ACTIVE:
+ break;
+ case V4L2_SUBDEV_FORMAT_TRY:
+ if (cfg)
+ break;
+ /* fall through */
+ default:
+ return -EINVAL;
+ }
+
+ if (code->index >= ARRAY_SIZE(ov6650_codes))
return -EINVAL;
code->code = ov6650_codes[code->index];
--
2.21.0
