From 7ef725f4f0a637b918113cf19706ea192c6cad44 Mon Sep 17 00:00:00 2001
From: annamraj <annamraj@codeaurora.org>
Date: Thu, 15 Jun 2017 16:02:13 +0530
Subject: [PATCH] msm: camera: Proper use of snprintf to avoid information leak

Making use of return value of snprintf to avoid information
leak and using pk instead of lx for writing address to buffer.

Change-Id: If54b37c43679613658e270c3b0da499c6d82eecf
Signed-off-by: annamraj <annamraj@codeaurora.org>
---
 .../msm/camera_v2/jpeg_10/msm_jpeg_hw.c       | 35 ++++++++++++++-----
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
index e40869d41a5d..821833d53905 100644
--- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -903,26 +903,45 @@ int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, uint32_t m_cmds,
 
 void msm_jpeg_io_dump(void *base, int size)
 {
-	char line_str[128], *p_str;
+	char line_str[128];
 	void __iomem *addr = (void __iomem *)base;
 	int i;
 	u32 *p = (u32 *) addr;
+	size_t offset = 0;
+	size_t used = 0;
+	size_t min_range = 0;
+	size_t sizeof_line_str = sizeof(line_str);
 	u32 data;
 	JPEG_DBG_HIGH("%s:%d] %pK %d", __func__, __LINE__, addr, size);
 	line_str[0] = '\0';
-	p_str = line_str;
 	for (i = 0; i < size/4; i++) {
 		if (i % 4 == 0) {
-			snprintf(p_str, 12, "%08lx: ", (unsigned long)p);
-			p_str += 10;
+			used = snprintf(line_str + offset,
+				sizeof_line_str - offset, "%pK ", p);
+			if ((used < min_range) ||
+				(offset + used >= sizeof_line_str)) {
+				JPEG_PR_ERR("%s\n", line_str);
+				offset = 0;
+				line_str[0] = '\0';
+			} else {
+				offset += used;
+			}
 		}
 		data = msm_camera_io_r(p++);
-		snprintf(p_str, 12, "%08x ", data);
-		p_str += 9;
+		used = snprintf(line_str + offset,
+			sizeof_line_str - offset, "%08x ", data);
+		if ((used < min_range) ||
+			(offset + used >= sizeof_line_str)) {
+			JPEG_PR_ERR("%s\n", line_str);
+			offset = 0;
+			line_str[0] = '\0';
+		} else {
+			offset += used;
+		}
 		if ((i + 1) % 4 == 0) {
 			JPEG_DBG_HIGH("%s\n", line_str);
 			line_str[0] = '\0';
-			p_str = line_str;
+			offset = 0;
 		}
 	}
 	if (line_str[0] != '\0')