From 8e6daae70422ad35146a87700e6634a747d1ff5d Mon Sep 17 00:00:00 2001 From: Hariram Purushothaman Date: Tue, 16 Jul 2013 11:23:47 -0700 Subject: msm: camera: Bound check num_cid from userspace in csid driver Upper and lower bound checks are enforced for num_cid which is passed from userspace with lower as 1 and max of 16. Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954 Signed-off-by: Hariram Purushothaman --- drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c index 9aca234..229fdb2 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c +++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c @@ -440,7 +440,7 @@ static long msm_csid_cmd(struct csid_device *csid_dev, void *arg) case CSID_CFG: { struct msm_camera_csid_params csid_params; struct msm_camera_csid_vc_cfg *vc_cfg = NULL; - int32_t i = 0; + int8_t i = 0; if (copy_from_user(&csid_params, (void *)cdata->cfg.csid_params, sizeof(struct msm_camera_csid_params))) { @@ -448,6 +448,13 @@ static long msm_csid_cmd(struct csid_device *csid_dev, void *arg) rc = -EFAULT; break; } + if (csid_params.lut_params.num_cid < 1 || + csid_params.lut_params.num_cid > 16) { + pr_err("%s: %d num_cid outside range\n", + __func__, __LINE__); + rc = -EINVAL; + break; + } for (i = 0; i < csid_params.lut_params.num_cid; i++) { vc_cfg = kzalloc(csid_params.lut_params.num_cid * sizeof(struct msm_camera_csid_vc_cfg), -- cgit v1.1