From: Dipankar Sarma <dipankar@in.ibm.com>

Fix handling of user bufs (arg), use copy_from_user.



 25-akpm/drivers/usb/media/vicam.c |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diff -puN drivers/usb/media/vicam.c~ds-09-vicam-usercopy-fix drivers/usb/media/vicam.c
--- 25/drivers/usb/media/vicam.c~ds-09-vicam-usercopy-fix	Tue Jun 10 14:55:11 2003
+++ 25-akpm/drivers/usb/media/vicam.c	Tue Jun 10 14:55:11 2003
@@ -611,7 +611,12 @@ vicam_ioctl(struct inode *inode, struct 
 
 	case VIDIOCSPICT:
 		{
-			struct video_picture *vp = (struct video_picture *) arg;
+			struct video_picture vp;
+
+			if (copy_from_user(&vp, arg, sizeof (vp))) {
+				retval = -EFAULT;
+				break;
+			}
 
 			DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp->depth,
 			    vp->palette);
@@ -652,7 +657,12 @@ vicam_ioctl(struct inode *inode, struct 
 	case VIDIOCSWIN:
 		{
 
-			struct video_window *vw = (struct video_window *) arg;
+			struct video_window vw;
+
+			if (copy_from_user(&vw, arg, sizeof (vw))) {
+				retval = -EFAULT;
+				break;
+			}
 			DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
 
 			if ( vw->width != 320 || vw->height != 240 )

_