v4l2: v4l2_camera_proxy: Check arg->index bounds for querybuf, qbuf, dqbuf

There were no bounds checks for the index argument for VIDIOC_QUERYBUF,
VIDIOC_QBUF, and VIDIOC_DQBUF. Add them.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

src/v4l2/v4l2_camera_proxy.cpp

@@ -539,6 +539,9 @@ int V4L2CameraProxy::vidioc_querybuf(V4L2CameraFile *file, struct v4l2_buffer *a
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!validateBufferType(arg->type) ||
 	    arg->index >= bufferCount_)
 		return -EINVAL;
@@ -555,6 +558,9 @@ int V4L2CameraProxy::vidioc_qbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = "
 			       << arg->index << " fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!hasOwnership(file))
 		return -EBUSY;
 
@@ -577,6 +583,9 @@ int V4L2CameraProxy::vidioc_dqbuf(V4L2CameraFile *file, struct v4l2_buffer *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_dqbuf fd = " << file->efd();
 
+	if (arg->index >= bufferCount_)
+		return -EINVAL;
+
 	if (!hasOwnership(file))
 		return -EBUSY;