From bbacde467c57fea08bdb097dffce05e956fa6f43 Mon Sep 17 00:00:00 2001
From: Udaya Bhaskara Reddy Mallavarapu <udaym@codeaurora.org>
Date: Tue, 5 Sep 2017 12:01:41 +0530
Subject: [PATCH] drivers: media: broadcast: Fix security vulnerability issue

Information leak issue is reported in mpq_sdmx_log_level_write
function. Added check to validate count is not zero and initialize
the string.

Change-Id: Ieb2ed88c2d7d778c56be2ec3b9875270a9c74dce
Signed-off-by: Udaya Bhaskara Reddy Mallavarapu <udaym@codeaurora.org>
---
 .../media/platform/msm/dvb/demux/mpq_dmx_plugin_common.c  | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/msm/dvb/demux/mpq_dmx_plugin_common.c b/drivers/media/platform/msm/dvb/demux/mpq_dmx_plugin_common.c
index 2d2296893140..9f3e2cc3a72f 100644
--- a/drivers/media/platform/msm/dvb/demux/mpq_dmx_plugin_common.c
+++ b/drivers/media/platform/msm/dvb/demux/mpq_dmx_plugin_common.c
@@ -523,13 +523,17 @@ static ssize_t mpq_sdmx_log_level_write(struct file *fp,
 	int level;
 	struct mpq_demux *mpq_demux = fp->private_data;
 
-	if (count >= 16)
+	if (count == 0 || count >= 16)
 		return -EINVAL;
 
-	ret_count = simple_write_to_buffer(user_str, 16, position, user_buffer,
+	memset(user_str, '\0', sizeof(user_str));
+
+	ret_count = simple_write_to_buffer(user_str, 15, position, user_buffer,
 		count);
 	if (ret_count < 0)
 		return ret_count;
+	else if (ret_count == 0)
+		return -EINVAL;
 
 	ret = kstrtoint(user_str, 0, &level);
 	if (ret)