diff options
| author | Samyukta Mogily <smogily@codeaurora.org> | 2016-09-01 18:16:50 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-09-16 10:15:09 -0700 |
| commit | 1a4caeee9989cbcfcbb5d662381846327c3c580d (patch) | |
| tree | 60b7b1f6f089f41ebdf4d7ef5862233f6a413861 | |
| parent | 6c104f8d40e59cc9299ddef18d92709d8cda3483 (diff) | |
msm: sensor: Avoid potential stack overflow
Add a check to validate the user input data is not
greater than expected stack buffer size to avoid out
of bounds array accesses
CRs-Fixed: 1056307
Change-Id: Ifd1f4e828373535fdf963aad22b217ae880c778c
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 6 | ||||
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c index 8f911d362477..a4ee5041bfff 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c +++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c @@ -276,6 +276,12 @@ int32_t msm_camera_cci_i2c_write_seq_table( client_addr_type = client->addr_type; client->addr_type = write_setting->addr_type; + if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) { + pr_err("%s: number of bytes %u exceeding the max supported %d\n", + __func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX); + return rc; + } + for (i = 0; i < write_setting->size; i++) { rc = msm_camera_cci_i2c_write_seq(client, reg_setting->reg_addr, reg_setting->reg_data, reg_setting->reg_data_size); diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c index 3b101798edac..7a0fb97061d5 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c +++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c @@ -290,6 +290,12 @@ int32_t msm_camera_qup_i2c_write_seq_table(struct msm_camera_i2c_client *client, client_addr_type = client->addr_type; client->addr_type = write_setting->addr_type; + if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) { + pr_err("%s: number of bytes %u exceeding the max supported %d\n", + __func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX); + return rc; + } + for (i = 0; i < write_setting->size; i++) { rc = msm_camera_qup_i2c_write_seq(client, reg_setting->reg_addr, reg_setting->reg_data, reg_setting->reg_data_size); |