mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
From 8236d6ebc7e26361ca7078cbeba01509f10941d8 Mon Sep 17 00:00:00 2001
|
|
From: Rajesh Bondugula <rajeshb@codeaurora.org>
|
|
Date: Tue, 22 Nov 2016 11:04:04 -0800
|
|
Subject: msm: camera: flash: Validate the power setting size
|
|
|
|
Validate the power setting size before copying.
|
|
If userspace sends a value which is greater than
|
|
MAX_POWER_CONFIG, then the driver accesses unintended memory.
|
|
This change will fix the issue.
|
|
|
|
CRs-Fixed: 1093232
|
|
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
|
|
Change-Id: Ia49963248a94765baa19695294b197ea6f3bb8e2
|
|
---
|
|
drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
|
|
index 5f749bd..6c8826b 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
|
|
@@ -269,6 +269,16 @@ static int32_t msm_flash_i2c_init(
|
|
flash_ctrl->power_info.power_down_setting_size =
|
|
flash_ctrl->power_setting_array.size_down;
|
|
|
|
+ if ((flash_ctrl->power_info.power_setting_size > MAX_POWER_CONFIG) ||
|
|
+ (flash_ctrl->power_info.power_down_setting_size > MAX_POWER_CONFIG)) {
|
|
+ pr_err("%s:%d invalid power setting size=%d size_down=%d\n",
|
|
+ __func__, __LINE__,
|
|
+ flash_ctrl->power_info.power_setting_size,
|
|
+ flash_ctrl->power_info.power_down_setting_size);
|
|
+ rc = -EINVAL;
|
|
+ goto msm_flash_i2c_init_fail;
|
|
+ }
|
|
+
|
|
rc = msm_camera_power_up(&flash_ctrl->power_info,
|
|
flash_ctrl->flash_device_type,
|
|
&flash_ctrl->flash_i2c_client);
|
|
--
|
|
cgit v1.1
|
|
|