From 6f4c3613acde2479504ad589e7095571fba1c221 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 5 Jan 2012 02:27:57 -0300
Subject: [PATCH] --- yaml --- r: 285753 b: refs/heads/master c:
 6c06108be53ca5e94d8b0e93883d534dd9079646 h: refs/heads/master i:   285751:
 0e511b26694ce13ebc6c4de5de2dff8ff26cda92 v: v3

---
 [refs]                                 | 2 +-
 trunk/drivers/media/video/v4l2-ioctl.c | 4 ++++
 trunk/include/linux/videodev2.h        | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 8df19aab72b7..afa2392c2319 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: e82db75d06ac331ae39b07f57539df3c51d19b94
+refs/heads/master: 6c06108be53ca5e94d8b0e93883d534dd9079646
diff --git a/trunk/drivers/media/video/v4l2-ioctl.c b/trunk/drivers/media/video/v4l2-ioctl.c
index e1da8fc9dd2f..639abeee3392 100644
--- a/trunk/drivers/media/video/v4l2-ioctl.c
+++ b/trunk/drivers/media/video/v4l2-ioctl.c
@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
 		struct v4l2_ext_controls *ctrls = parg;
 
 		if (ctrls->count != 0) {
+			if (ctrls->count > V4L2_CID_MAX_CTRLS) {
+				ret = -EINVAL;
+				break;
+			}
 			*user_ptr = (void __user *)ctrls->controls;
 			*kernel_ptr = (void *)&ctrls->controls;
 			*array_size = sizeof(struct v4l2_ext_control)
diff --git a/trunk/include/linux/videodev2.h b/trunk/include/linux/videodev2.h
index 6bfaa767a817..b2e1331ca76b 100644
--- a/trunk/include/linux/videodev2.h
+++ b/trunk/include/linux/videodev2.h
@@ -1132,6 +1132,7 @@ struct v4l2_querymenu {
 #define V4L2_CTRL_FLAG_NEXT_CTRL	0x80000000
 
 /*  User-class control IDs defined by V4L2 */
+#define V4L2_CID_MAX_CTRLS		1024
 #define V4L2_CID_BASE			(V4L2_CTRL_CLASS_USER | 0x900)
 #define V4L2_CID_USER_BASE 		V4L2_CID_BASE
 /*  IDs reserved for driver specific controls */