power: qcom-charger: fix possible out of bounds access for GEN3 FG driver

Fix the following things in fg-util.c which is included by GEN3
FG driver:

- Possible out of bounds access in fg_sram_dfs_reg_write() when
  using bytes_read from sscanf
- Fix uninitialized usage of variable in write_next_line_to_log()

Change-Id: If9e7ba5632d1b5f99d91bda6276d9123c37e4dc7
Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>

1 files changed, 5 insertions, 5 deletions

diff --git a/drivers/power/qcom-charger/fg-util.c b/drivers/power/qcom-charger/fg-util.c
index fe00dadc3f38..9f2d9973e04b 100644
--- a/drivers/power/qcom-charger/fg-util.c
+++ b/drivers/power/qcom-charger/fg-util.c
@@ -384,7 +384,7 @@ static int print_to_log(struct fg_log_buffer *log, const char *fmt, ...)
 static int write_next_line_to_log(struct fg_trans *trans, int offset,
 				size_t *pcnt)
 {
-	int i, j;
+	int i;
 	u8 data[ITEMS_PER_LINE];
 	u16 address;
 	struct fg_log_buffer *log = trans->log;
@@ -397,7 +397,6 @@ static int write_next_line_to_log(struct fg_trans *trans, int offset,
 		goto done;
 
 	memcpy(data, trans->data + (offset - trans->addr), items_to_read);
-
 	*pcnt -= items_to_read;
 
 	/* address is in word now and it increments by 1. */
@@ -407,8 +406,8 @@ static int write_next_line_to_log(struct fg_trans *trans, int offset,
 		goto done;
 
 	/* Log the data items */
-	for (j = 0; i < items_to_log; ++i, ++j) {
-		cnt = print_to_log(log, "%2.2X ", data[j]);
+	for (i = 0; i < items_to_log; ++i) {
+		cnt = print_to_log(log, "%2.2X ", data[i]);
 		if (cnt == 0)
 			goto done;
 	}
@@ -552,7 +551,8 @@ static ssize_t fg_sram_dfs_reg_write(struct file *file, const char __user *buf,
 	values = kbuf;
 
 	/* Parse the data in the buffer.  It should be a string of numbers */
-	while (sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {
+	while ((pos < count) &&
+		sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {
 		pos += bytes_read;
 		values[cnt++] = data & 0xff;
 	}