Commit da298c6d98d5 ("[media] v4l2: replace video op g_mbus_fmt by pad
op get_fmt") converted a former ov6650_g_fmt() video operation callback
to an ov6650_get_fmt() pad operation callback. However, the function
does not verify correctness of user provided format->which flag and pad
config pointer arguments. Fix it.
Even if the function never dereferences the pad config pointer argument,
return -EINVAL if it is NULL on V4L2_SUBDEV_FORMAT_TRY.
Fixes: da298c6d98d5 ("[media] v4l2: replace video op g_mbus_fmt by pad op get_fmt")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
drivers/media/i2c/ov6650.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c
index 3062c9a6c57b..5c1738c5a847 100644
--- a/drivers/media/i2c/ov6650.c
+++ b/drivers/media/i2c/ov6650.c
@@ -515,6 +515,17 @@ static int ov6650_get_fmt(struct v4l2_subdev *sd,
if (format->pad)
return -EINVAL;
+ switch (format->which) {
+ case V4L2_SUBDEV_FORMAT_ACTIVE:
+ break;
+ case V4L2_SUBDEV_FORMAT_TRY:
+ if (cfg)
+ break;
+ /* fall through */
+ default:
+ return -EINVAL;
+ }
+
mf->width = priv->rect.width >> priv->half_scale;
mf->height = priv->rect.height >> priv->half_scale;
mf->code = priv->code;
--
2.21.0
