[media] v4l: Check pad arguments for [gs]_frame_interval

VIDIOC_SUBDEV_[GS]_FRAME_INTERVAL IOCTLs argument structs contain the pad
field but the validity check was missing. There should be no implications
security-wise from this since no driver currently uses the pad field in the
struct.

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>

diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
index aea84ac..0ed4c5b 100644 (file)
--- a/drivers/media/v4l2-core/v4l2-subdev.c
+++ b/drivers/media/v4l2-core/v4l2-subdev.c
@@ -305,11 +305,23 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg)
                                        fse);
        }
 
-       case VIDIOC_SUBDEV_G_FRAME_INTERVAL:
+       case VIDIOC_SUBDEV_G_FRAME_INTERVAL: {
+               struct v4l2_subdev_frame_interval *fi = arg;
+
+               if (fi->pad >= sd->entity.num_pads)
+                       return -EINVAL;
+
                return v4l2_subdev_call(sd, video, g_frame_interval, arg);
+       }
+
+       case VIDIOC_SUBDEV_S_FRAME_INTERVAL: {
+               struct v4l2_subdev_frame_interval *fi = arg;
+
+               if (fi->pad >= sd->entity.num_pads)
+                       return -EINVAL;
 
-       case VIDIOC_SUBDEV_S_FRAME_INTERVAL:
                return v4l2_subdev_call(sd, video, s_frame_interval, arg);
+       }
 
        case VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL: {
                struct v4l2_subdev_frame_interval_enum *fie = arg;