From: Dipankar Sarma <dipankar@in.ibm.com>

Fix handling of user bufs (arg), use copy_from_user.



 drivers/usb/media/vicam.c |   28 +++++++++++++++++++---------
 1 files changed, 19 insertions(+), 9 deletions(-)

diff -puN drivers/usb/media/vicam.c~ds-09-vicam-usercopy-fix drivers/usb/media/vicam.c
--- 25/drivers/usb/media/vicam.c~ds-09-vicam-usercopy-fix	2003-06-11 04:01:14.000000000 -0700
+++ 25-akpm/drivers/usb/media/vicam.c	2003-06-11 04:01:14.000000000 -0700
@@ -611,15 +611,20 @@ vicam_ioctl(struct inode *inode, struct 
 
 	case VIDIOCSPICT:
 		{
-			struct video_picture *vp = (struct video_picture *) arg;
+			struct video_picture vp;
 
-			DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp->depth,
-			    vp->palette);
+			if (copy_from_user(&vp, arg, sizeof (vp))) {
+				retval = -EFAULT;
+				break;
+			}
 
-			cam->gain = vp->brightness >> 8;
+			DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp.depth,
+			    vp.palette);
 
-			if (vp->depth != 24
-			    || vp->palette != VIDEO_PALETTE_RGB24)
+			cam->gain = vp.brightness >> 8;
+
+			if (vp.depth != 24
+			    || vp.palette != VIDEO_PALETTE_RGB24)
 				retval = -EINVAL;
 
 			break;
@@ -652,10 +657,15 @@ vicam_ioctl(struct inode *inode, struct 
 	case VIDIOCSWIN:
 		{
 
-			struct video_window *vw = (struct video_window *) arg;
-			DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+			struct video_window vw;
+
+			if (copy_from_user(&vw, arg, sizeof (vw))) {
+				retval = -EFAULT;
+				break;
+			}
+			DBG("VIDIOCSWIN %d x %d\n", vw.width, vw.height);
 
-			if ( vw->width != 320 || vw->height != 240 )
+			if ( vw.width != 320 || vw.height != 240 )
 				retval = -EFAULT;
 			
 			break;

_