DivestOS/Patches/Linux_CVEs/CVE-2016-3934/ANY/0.patch

75 lines
2.7 KiB
Diff
Raw Normal View History

From 27fbeb6b025d5d46ccb0497cbed4c6e78ed1c5cc Mon Sep 17 00:00:00 2001
From: Vasko Kalanoski <vaskok@codeaurora.org>
Date: Tue, 3 Feb 2015 13:17:44 +0200
Subject: msm: camera: restructure data handling to be more robust
add dynamic array allocation instead of static to prevent
stack overflow.
Change-Id: Id12ed5b01809021d2b1d1d71436f2523b575d9de
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
---
.../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 25 +++++++++++++++-------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
index 4b0bde95..59ad29f 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -138,23 +138,30 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
int32_t rc = -EFAULT;
uint8_t i = 0;
struct msm_camera_cci_ctrl cci_ctrl;
- struct msm_camera_i2c_reg_array reg_conf_tbl[num_byte];
+ struct msm_camera_i2c_reg_array *reg_conf_tbl = NULL;
if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
|| num_byte == 0)
return rc;
- S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",
- __func__, addr, num_byte);
- memset(reg_conf_tbl, 0,
- num_byte * sizeof(struct msm_camera_i2c_reg_array));
- reg_conf_tbl[0].reg_addr = addr;
if (num_byte > I2C_SEQ_REG_DATA_MAX) {
pr_err("%s: num_byte=%d clamped to max supported %d\n",
__func__, num_byte, I2C_SEQ_REG_DATA_MAX);
- num_byte = I2C_SEQ_REG_DATA_MAX;
+ return rc;
}
+
+ S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",
+ __func__, addr, num_byte);
+
+ reg_conf_tbl = kzalloc(num_byte *
+ (sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);
+ if (!reg_conf_tbl) {
+ pr_err("%s:%d no memory\n", __func__, __LINE__);
+ return -ENOMEM;
+ }
+
+ reg_conf_tbl[0].reg_addr = addr;
for (i = 0; i < num_byte; i++) {
reg_conf_tbl[i].reg_data = data[i];
reg_conf_tbl[i].delay = 0;
@@ -169,6 +176,8 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
core, ioctl, VIDIOC_MSM_CCI_CFG, &cci_ctrl);
CDBG("%s line %d rc = %d\n", __func__, __LINE__, rc);
rc = cci_ctrl.status;
+ kfree(reg_conf_tbl);
+ reg_conf_tbl = NULL;
return rc;
}
--
cgit v1.1