mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
68 lines
2.4 KiB
Diff
68 lines
2.4 KiB
Diff
From 60e4af06161d91d5aeaa04c7d6e9f4345a6acdd4 Mon Sep 17 00:00:00 2001
|
|
From: Alok Kediya <kediya@codeaurora.org>
|
|
Date: Thu, 10 Oct 2013 12:11:01 +0530
|
|
Subject: msm:camera: Bounds and validity check for params
|
|
|
|
Check the range and validity of parameters before accessing.
|
|
|
|
CRs-fixed: 550607, 554434, 554436
|
|
|
|
Change-Id: I2d6aec4f9cb9385789c0df6a2c4abefe9e87539f
|
|
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
|
|
---
|
|
drivers/media/video/msm/server/msm_cam_server.c | 20 ++++++++++++++++----
|
|
1 file changed, 16 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/drivers/media/video/msm/server/msm_cam_server.c b/drivers/media/video/msm/server/msm_cam_server.c
|
|
index 4bda7a3..5fc8e83 100644
|
|
--- a/drivers/media/video/msm/server/msm_cam_server.c
|
|
+++ b/drivers/media/video/msm/server/msm_cam_server.c
|
|
@@ -311,6 +311,13 @@ static int msm_ctrl_cmd_done(void *arg)
|
|
goto ctrl_cmd_done_error;
|
|
}
|
|
|
|
+ if(command->queue_idx < 0 ||
|
|
+ command->queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
|
|
+ pr_err("%s: Invalid value OR index %d\n", __func__,
|
|
+ command->queue_idx);
|
|
+ goto ctrl_cmd_done_error;
|
|
+ }
|
|
+
|
|
if (!g_server_dev.server_queue[command->queue_idx].queue_active) {
|
|
pr_err("%s: Invalid queue\n", __func__);
|
|
goto ctrl_cmd_done_error;
|
|
@@ -339,7 +346,8 @@ static int msm_ctrl_cmd_done(void *arg)
|
|
max_control_command_size);
|
|
goto ctrl_cmd_done_error;
|
|
}
|
|
- if (copy_from_user(command->value, uptr, command->length)) {
|
|
+ if (copy_from_user(command->value, (void __user *)uptr,
|
|
+ command->length)) {
|
|
pr_err("%s: copy_from_user failed, size=%d\n",
|
|
__func__, sizeof(struct msm_ctrl_cmd));
|
|
goto ctrl_cmd_done_error;
|
|
@@ -2650,13 +2658,17 @@ int msm_server_send_ctrl(struct msm_ctrl_cmd *out,
|
|
struct msm_queue_cmd *event_qcmd;
|
|
struct msm_ctrl_cmd *ctrlcmd;
|
|
struct msm_cam_server_dev *server_dev = &g_server_dev;
|
|
- struct msm_device_queue *queue =
|
|
- &server_dev->server_queue[out->queue_idx].ctrl_q;
|
|
-
|
|
+ struct msm_device_queue *queue;
|
|
struct v4l2_event v4l2_evt;
|
|
struct msm_isp_event_ctrl *isp_event;
|
|
void *ctrlcmd_data;
|
|
|
|
+ if(out->queue_idx < 0 || out->queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
|
|
+ pr_err("%s: Invalid index %d\n", __func__, out->queue_idx);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+ queue = &server_dev->server_queue[out->queue_idx].ctrl_q;
|
|
+
|
|
event_qcmd = kzalloc(sizeof(struct msm_queue_cmd), GFP_KERNEL);
|
|
if (!event_qcmd) {
|
|
pr_err("%s Insufficient memory. return", __func__);
|
|
--
|
|
cgit v1.1
|
|
|