From 94f4b81da69ec72486476adb59d7c818bd4ffbd0 Mon Sep 17 00:00:00 2001
From: chengengjia <chengjia4574@gmail.com>
Date: Wed, 10 Aug 2016 17:34:43 +0800
Subject: [PATCH] input: synaptics: Add checks of user input data

Add checks of the user input count to avoid possible heap overflow

Bug: 30799828
Change-Id: I896492b18c4ace6565fb9edd5cbf51f363ce157b
Signed-off-by: chengengjia <chengjia4574@gmail.com>
Signed-off-by: Andrew Chant <achant@google.com>
---
 drivers/input/touchscreen/synaptics_fw_update.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c
index 8e457ccaa5245..170a202590ad4 100644
--- a/drivers/input/touchscreen/synaptics_fw_update.c
+++ b/drivers/input/touchscreen/synaptics_fw_update.c
@@ -1736,6 +1736,13 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file,
 		return -EAGAIN;
 	}
 
+	if (count > fwu->image_size - fwu->data_pos) {
+		dev_err(&fwu->rmi4_data->i2c_client->dev,
+				"%s: Not enough space in buffer\n",
+				__func__);
+		return -EINVAL;
+	}
+
 	memcpy((void *)(&fwu->ext_data_source[fwu->data_pos]),
 			(const void *)buf,
 			count);