On Mon, 14 Apr 2014 14:50:15 +0200 (CEST) Guennadi Liakhovetski <g.liakhovetski@xxxxxx> wrote: > If any of the above "if" statements is true, it will > stay true forever, until the loop terminates. If that's intended, you > could at least use "break" immediately. If it's not - something else is > wrong there. Maybe the "win" initialisation at the top of the loop should > have "i" as an index? I.e. > > - struct ov7670_win_size *win = &info->devtype->win_sizes[index]; > + struct ov7670_win_size *win = &info->devtype->win_sizes[i]; Sigh. As far as I can tell, that bug was introduced by 75e2bdad8901a0b599e01a96229be922eef1e488 (ov7670: allow configuration of image size, clock speed, and I/O method) by Daniel Drake in 2.6.37. It's not only wrong, it could conceivably be a security issue - index is unchecked straight from user space. Say the word and I'll package up a patch. Otherwise please feel free to add my Acked-by to your own change, with a cc to stable@. Thanks for catching this, jon -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
