mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-07-08 20:31:57 +00:00
58 lines
2.3 KiB
Diff
58 lines
2.3 KiB
Diff
From b8874573428e8ce024f57c6242d662fcca5e5d55 Mon Sep 17 00:00:00 2001
|
|
From: VijayaKumar T M <vtmuni@codeaurora.org>
|
|
Date: Mon, 25 Jul 2016 11:53:19 +0530
|
|
Subject: msm: camera: sensor: Fix use after free condition
|
|
|
|
Add a check to return value before calling csid config which will
|
|
otherwise lead to use after free scenario.
|
|
|
|
CRs-Fixed: 1040857
|
|
Change-Id: I4f4d9e38eeb537875e0d01de0e99913a44dd3f3f
|
|
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
|
|
---
|
|
drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c | 10 +++++++---
|
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
|
|
index 5864096..7dd2959 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
|
|
@@ -1,4 +1,4 @@
|
|
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
|
|
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 and
|
|
@@ -518,7 +518,7 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void __user *arg)
|
|
break;
|
|
}
|
|
if (csid_params.lut_params.num_cid < 1 ||
|
|
- csid_params.lut_params.num_cid > 16) {
|
|
+ csid_params.lut_params.num_cid > MAX_CID) {
|
|
pr_err("%s: %d num_cid outside range\n",
|
|
__func__, __LINE__);
|
|
rc = -EINVAL;
|
|
@@ -547,6 +547,10 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void __user *arg)
|
|
csid_params.lut_params.vc_cfg[i] = vc_cfg;
|
|
}
|
|
csid_dev->csid_sof_debug = 0;
|
|
+ if (rc < 0) {
|
|
+ pr_err("%s:%d failed\n", __func__, __LINE__);
|
|
+ break;
|
|
+ }
|
|
rc = msm_csid_config(csid_dev, &csid_params);
|
|
for (i--; i >= 0; i--)
|
|
kfree(csid_params.lut_params.vc_cfg[i]);
|
|
@@ -658,7 +662,7 @@ static int32_t msm_csid_cmd32(struct csid_device *csid_dev, void __user *arg)
|
|
csid_params.lut_params.num_cid = lut_par32.num_cid;
|
|
|
|
if (csid_params.lut_params.num_cid < 1 ||
|
|
- csid_params.lut_params.num_cid > 16) {
|
|
+ csid_params.lut_params.num_cid > MAX_CID) {
|
|
pr_err("%s: %d num_cid outside range\n",
|
|
__func__, __LINE__);
|
|
rc = -EINVAL;
|
|
--
|
|
cgit v1.1
|
|
|