From 0ee6c6f748e840c266fe26ed3c89d6bd7e3c9d4e Mon Sep 17 00:00:00 2001 From: Rajesh Bondugula Date: Wed, 13 Apr 2016 14:31:58 -0700 Subject: msm: camera: sensor: Validate step_boundary step_boundary can take values upto the total_steps Validate the step_boundary before consuming it. Convert the type of step_index and region_index to uint16_t step_index and region_index cannot be negative. CRs-Fixed: 1001092 Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70 Signed-off-by: Rajesh Bondugula --- .../msm/camera_v2/sensor/actuator/msm_actuator.c | 35 ++++++++++++++++++---- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c index 7653b1b..b87e31e 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c +++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c @@ -853,7 +853,7 @@ static int32_t msm_actuator_bivcm_init_step_table( { int16_t code_per_step = 0; int16_t cur_code = 0; - int16_t step_index = 0, region_index = 0; + uint16_t step_index = 0, region_index = 0; uint16_t step_boundary = 0; uint32_t max_code_size = 1; uint16_t data_size = set_info->actuator_params.data_size; @@ -894,6 +894,15 @@ static int32_t msm_actuator_bivcm_init_step_table( step_boundary = a_ctrl->region_params[region_index]. step_bound[MOVE_NEAR]; + if (step_boundary > + set_info->af_tuning_params.total_steps) { + pr_err("invalid step_boundary = %d, max_val = %d", + step_boundary, + set_info->af_tuning_params.total_steps); + kfree(a_ctrl->step_position_table); + a_ctrl->step_position_table = NULL; + return -EINVAL; + } qvalue = a_ctrl->region_params[region_index].qvalue; for (; step_index <= step_boundary; step_index++) { @@ -929,20 +938,25 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl, int16_t code_per_step = 0; uint32_t qvalue = 0; int16_t cur_code = 0; - int16_t step_index = 0, region_index = 0; + uint16_t step_index = 0, region_index = 0; uint16_t step_boundary = 0; uint32_t max_code_size = 1; uint16_t data_size = set_info->actuator_params.data_size; CDBG("Enter\n"); + /* validate the actuator state */ + if (a_ctrl->actuator_state != ACT_OPS_ACTIVE) { + pr_err("%s:%d invalid actuator_state %d\n" + , __func__, __LINE__, a_ctrl->actuator_state); + return -EINVAL; + } for (; data_size > 0; data_size--) max_code_size *= 2; a_ctrl->max_code_size = max_code_size; - if ((a_ctrl->actuator_state == ACT_OPS_ACTIVE) && - (a_ctrl->step_position_table != NULL)) { - kfree(a_ctrl->step_position_table); - } + + /* free the step_position_table to allocate a new one */ + kfree(a_ctrl->step_position_table); a_ctrl->step_position_table = NULL; if (set_info->af_tuning_params.total_steps @@ -971,6 +985,15 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl, step_boundary = a_ctrl->region_params[region_index]. step_bound[MOVE_NEAR]; + if (step_boundary > + set_info->af_tuning_params.total_steps) { + pr_err("invalid step_boundary = %d, max_val = %d", + step_boundary, + set_info->af_tuning_params.total_steps); + kfree(a_ctrl->step_position_table); + a_ctrl->step_position_table = NULL; + return -EINVAL; + } for (; step_index <= step_boundary; step_index++) { if (qvalue > 1 && qvalue <= MAX_QVALUE) -- cgit v1.1