mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
49 lines
2.0 KiB
Diff
49 lines
2.0 KiB
Diff
From 2fb303d9c6ca080f253b10ed9384293ca69ad32b Mon Sep 17 00:00:00 2001
|
|
From: Vasko Kalanoski <vaskok@codeaurora.org>
|
|
Date: Tue, 8 Oct 2013 10:50:32 -0700
|
|
Subject: msm: actuator: fix to prevent kernel heap buffer overflow
|
|
|
|
fix to prevent kernel heap buffer overflow allows user
|
|
controlled data to be written to the heap via the
|
|
msm_camera actuator IOCTLs
|
|
|
|
Change-Id: I4458831e28e0081fb2f5ae55506be866100e1b4f
|
|
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
|
|
---
|
|
.../platform/msm/camera_v2/sensor/actuator/msm_actuator.c | 12 ++++++++++--
|
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
|
|
index baa2db8..e605326 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
|
|
@@ -79,6 +79,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
|
|
struct msm_camera_i2c_reg_array *i2c_tbl = a_ctrl->i2c_reg_tbl;
|
|
CDBG("Enter\n");
|
|
for (i = 0; i < size; i++) {
|
|
+ /* check that the index into i2c_tbl cannot grow larger that
|
|
+ the allocated size of i2c_tbl */
|
|
+ if ((a_ctrl->total_steps + 1) < (a_ctrl->i2c_tbl_index)) {
|
|
+ break;
|
|
+ }
|
|
if (write_arr[i].reg_write_type == MSM_ACTUATOR_WRITE_DAC) {
|
|
value = (next_lens_position <<
|
|
write_arr[i].data_shift) |
|
|
@@ -464,8 +469,11 @@ static int32_t msm_actuator_init(struct msm_actuator_ctrl_t *a_ctrl,
|
|
|
|
a_ctrl->i2c_data_type = set_info->actuator_params.i2c_data_type;
|
|
a_ctrl->i2c_client.addr_type = set_info->actuator_params.i2c_addr_type;
|
|
- a_ctrl->reg_tbl_size = set_info->actuator_params.reg_tbl_size;
|
|
- if (a_ctrl->reg_tbl_size > MAX_ACTUATOR_REG_TBL_SIZE) {
|
|
+ if (set_info->actuator_params.reg_tbl_size <=
|
|
+ MAX_ACTUATOR_REG_TBL_SIZE) {
|
|
+ a_ctrl->reg_tbl_size = set_info->actuator_params.reg_tbl_size;
|
|
+ } else {
|
|
+ a_ctrl->reg_tbl_size = 0;
|
|
pr_err("MAX_ACTUATOR_REG_TBL_SIZE is exceeded.\n");
|
|
return -EFAULT;
|
|
}
|
|
--
|
|
cgit v1.1
|
|
|