@@ -1092,6 +1092,11 @@ static int zoran_enum_fmt(struct zoran *zr, struct v4l2_fmtdesc *fmt, int flag)
{
unsigned int num, i;
+ if (fmt->index >= ARRAY_SIZE(zoran_formats))
+ return -EINVAL;
+ if (fmt->type != V4L2_BUF_TYPE_VIDEO_CAPTURE)
+ return -EINVAL;
+
for (num = i = 0; i < NUM_FORMATS; i++) {
if (zoran_formats[i].flags & flag && num++ == fmt->index) {
strscpy(fmt->description, zoran_formats[i].name, sizeof(fmt->description));
@@ -1244,6 +1249,12 @@ static int zoran_try_fmt_vid_cap(struct file *file, void *__fh,
if (i == NUM_FORMATS)
return -EINVAL;
+ fmt->fmt.pix.colorspace = zoran_formats[i].colorspace;
+ if (BUZ_MAX_HEIGHT < (fmt->fmt.pix.height * 2))
+ fmt->fmt.pix.field = V4L2_FIELD_INTERLACED;
+ else
+ fmt->fmt.pix.field = V4L2_FIELD_TOP;
+
bpp = DIV_ROUND_UP(zoran_formats[i].depth, 8);
v4l_bound_align_image(&fmt->fmt.pix.width, BUZ_MIN_WIDTH, BUZ_MAX_WIDTH, bpp == 2 ? 1 : 2,
&fmt->fmt.pix.height, BUZ_MIN_HEIGHT, BUZ_MAX_HEIGHT, 0, 0);
@@ -1271,6 +1282,9 @@ static int zoran_s_fmt_vid_out(struct file *file, void *__fh, struct v4l2_format
return res;
}
+ if (!fmt->fmt.pix.height || !fmt->fmt.pix.width)
+ return -EINVAL;
+
settings = zr->jpg_settings;
/* we actually need to set 'real' parameters now */
@@ -1856,6 +1870,9 @@ static int zoran_s_selection(struct file *file, void *__fh, struct v4l2_selectio
sel->type != V4L2_BUF_TYPE_VIDEO_CAPTURE)
return -EINVAL;
+ if (!sel->r.width || !sel->r.height)
+ return -EINVAL;
+
if (sel->target != V4L2_SEL_TGT_CROP)
return -EINVAL;
The zoran driver miss some sanity checks, and this made v4l compliance happy. Signed-off-by: Corentin Labbe <clabbe@baylibre.com> --- drivers/staging/media/zoran/zoran_driver.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)