From 8604847927f952cc8e773b97eca24e1060a570f2 Mon Sep 17 00:00:00 2001
From: Seemanta Dutta <seemanta@codeaurora.org>
Date: Thu, 25 Jul 2013 18:01:32 -0700
Subject: msm: camera: Fix uninitialized memory returned to userspace

Local structures have not been initialized to all zeroes, so fix
this by setting them to all zeroes to prevent uninitialized memory
being copied to userspace.

CRs-fixed: 518478
Change-Id: I6e76355c3f854514def1bd18dcc5c3ef6db38f16
Signed-off-by: Seemanta Dutta <seemanta@codeaurora.org>
---
 drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c | 3 ++-
 drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c    | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c b/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
index 9293aad..e6483c1 100644
--- a/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
+++ b/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -196,6 +196,7 @@ int msm_mercury_evt_get(struct msm_mercury_device *pmercury_dev,
 	int rc = 0;
 
 	MCR_DBG("(%d)%s() Enter\n", __LINE__, __func__);
+	memset(&ctrl_cmd, 0, sizeof(ctrl_cmd));
 	ctrl_cmd.type = (uint32_t)msm_mercury_q_wait(&pmercury_dev->evt_q);
 
 	rc = copy_to_user(arg, &ctrl_cmd, sizeof(ctrl_cmd));
diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
index aa6f034..debbf03 100644
--- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
@@ -221,6 +221,7 @@ int msm_jpeg_evt_get(struct msm_jpeg_device *pgmn_dev,
 		return -EAGAIN;
 	}
 
+	memset(&ctrl_cmd, 0, sizeof(ctrl_cmd));
 	ctrl_cmd.type = buf_p->vbuf.type;
 	kfree(buf_p);
 
-- 
cgit v1.1