diff options
| author | Samyukta Mogily <smogily@codeaurora.org> | 2017-06-23 14:29:20 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-06-26 19:58:49 -0700 |
| commit | bf5f992f6ff6a14151ffdb30b8840153047caa43 (patch) | |
| tree | 0952559ddf93326880d0cf5e646ac18190efa3d4 | |
| parent | 6f56b2a9c8e2ce69e2a98e52d5f1342b25cae44e (diff) | |
msm: sensor: Fix for variable being de-referenced without proper check
Pointer from userspace is de-referenced before the command is checked.
This might cause a crash if the command being sent is not a valid command.
Hence changing the de-reference such that the pointer is accessed after
checking if a valid command is sent from the userspace.
Change-Id: I731a015c952d131187a47a8d346fb6478fddeeb1
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c | 12 | ||||
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c | 4 |
2 files changed, 7 insertions, 9 deletions
diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c index 5376e1e4b6a4..491b8d31935a 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c +++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2009-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1144,13 +1144,13 @@ static long msm_flash_subdev_do_ioctl( sd = vdev_to_v4l2_subdev(vdev); u32 = (struct msm_flash_cfg_data_t32 *)arg; - flash_data.cfg_type = u32->cfg_type; - for (i = 0; i < MAX_LED_TRIGGERS; i++) { - flash_data.flash_current[i] = u32->flash_current[i]; - flash_data.flash_duration[i] = u32->flash_duration[i]; - } switch (cmd) { case VIDIOC_MSM_FLASH_CFG32: + flash_data.cfg_type = u32->cfg_type; + for (i = 0; i < MAX_LED_TRIGGERS; i++) { + flash_data.flash_current[i] = u32->flash_current[i]; + flash_data.flash_duration[i] = u32->flash_duration[i]; + } cmd = VIDIOC_MSM_FLASH_CFG; switch (flash_data.cfg_type) { case CFG_FLASH_OFF: diff --git a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c index c94ee509631f..bfb15846e73c 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c +++ b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c @@ -774,11 +774,10 @@ static long msm_ois_subdev_do_ioctl( u32 = (struct msm_ois_cfg_data32 *)arg; parg = arg; - ois_data.cfgtype = u32->cfgtype; - switch (cmd) { case VIDIOC_MSM_OIS_CFG32: cmd = VIDIOC_MSM_OIS_CFG; + ois_data.cfgtype = u32->cfgtype; switch (u32->cfgtype) { case CFG_OIS_CONTROL: @@ -812,7 +811,6 @@ static long msm_ois_subdev_do_ioctl( settings.reg_setting = compat_ptr(settings32.reg_setting); - ois_data.cfgtype = u32->cfgtype; ois_data.cfg.settings = &settings; parg = &ois_data; break; |