# http://linux.bkbits.net:8080/linux-2.4/gnupatch@400296c0nBkPACQ9yiuBTri8qhJjWQ
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0075
# http://www.ultramonkey.org/bugs/cve/CAN-2004-0075.shtml

# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
#   2004/01/12 10:44:48-02:00 rtjohnso@eecs.berkeley.edu 
#   [PATCH] USB ioctl fixes (vicam.c, w9968cf.c)
#   
#   The bugs are very simple, so I think the patches speak for
#   themselves.  Thanks for looking at this, and my apologies if I've made
#   any mistakes.  Let me know if you have any questions.
#   
#   Best,
#   Rob
#   
#   P.S. Both of these bugs were found using the source code verification
#   tool, CQual, developed by Jeff Foster, myself, and others, and available
#   from http://www.cs.umd.edu/~jfoster/cqual/.
# 
# drivers/usb/vicam.c
#   2004/01/05 15:23:11-02:00 rtjohnso@eecs.berkeley.edu +10 -3
#   USB ioctl fixes (vicam.c, w9968cf.c)
# 
# drivers/usb/w9968cf.c
#   2004/01/07 11:44:44-02:00 rtjohnso@eecs.berkeley.edu +6 -2
#   USB ioctl fixes (vicam.c, w9968cf.c)
# 
diff -Nru a/drivers/usb/vicam.c b/drivers/usb/vicam.c
--- a/drivers/usb/vicam.c	2004-06-14 04:19:02 -07:00
+++ b/drivers/usb/vicam.c	2004-06-14 04:19:02 -07:00
@@ -601,12 +601,19 @@
 	case VIDIOCSWIN:
 		{
 
-			struct video_window *vw = (struct video_window *) arg;
-			DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+			struct video_window vw;
 
-			if ( vw->width != 320 || vw->height != 240 )
+			if (copy_from_user(&vw, arg, sizeof(vw)))
+			{
 				retval = -EFAULT;
+				break;
+			}
+
+			DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
 			
+			if ( vw.width != 320 || vw.height != 240 )
+				retval = -EFAULT;
+
 			break;
 		}