From 6467925a1c28b47040151e4a8652a0674ec88142 Mon Sep 17 00:00:00 2001 From: Samyukta Mogily Date: Tue, 11 Jul 2017 12:39:04 +0530 Subject: [PATCH] msm: sensor: Fix for variable being de-referenced without proper check Pointer from userspace is de-referenced before the command is checked. This might cause a crash if the command being sent is not a valid command. Hence changing the de-reference such that the pointer is accessed after checking if a valid command is sent from the userspace. Change-Id: I8db9382dd184f1564176ab45355954dcde8a3ab3 Signed-off-by: Samyukta Mogily --- .../media/platform/msm/ais/sensor/flash/msm_flash.c | 10 +++++----- drivers/media/platform/msm/ais/sensor/ois/msm_ois.c | 3 +-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/media/platform/msm/ais/sensor/flash/msm_flash.c b/drivers/media/platform/msm/ais/sensor/flash/msm_flash.c index 6af589e5c230..a2a89b92c9f1 100644 --- a/drivers/media/platform/msm/ais/sensor/flash/msm_flash.c +++ b/drivers/media/platform/msm/ais/sensor/flash/msm_flash.c @@ -1022,13 +1022,13 @@ static long msm_flash_subdev_do_ioctl( sd = vdev_to_v4l2_subdev(vdev); u32 = (struct msm_flash_cfg_data_t32 *)arg; - flash_data.cfg_type = u32->cfg_type; - for (i = 0; i < MAX_LED_TRIGGERS; i++) { - flash_data.flash_current[i] = u32->flash_current[i]; - flash_data.flash_duration[i] = u32->flash_duration[i]; - } switch (cmd) { case VIDIOC_MSM_FLASH_CFG32: + flash_data.cfg_type = u32->cfg_type; + for (i = 0; i < MAX_LED_TRIGGERS; i++) { + flash_data.flash_current[i] = u32->flash_current[i]; + flash_data.flash_duration[i] = u32->flash_duration[i]; + } cmd = VIDIOC_MSM_FLASH_CFG; switch (flash_data.cfg_type) { case CFG_FLASH_OFF: diff --git a/drivers/media/platform/msm/ais/sensor/ois/msm_ois.c b/drivers/media/platform/msm/ais/sensor/ois/msm_ois.c index 28a5402a4359..236660dca3fb 100644 --- a/drivers/media/platform/msm/ais/sensor/ois/msm_ois.c +++ b/drivers/media/platform/msm/ais/sensor/ois/msm_ois.c @@ -781,11 +781,10 @@ static long msm_ois_subdev_do_ioctl( u32 = (struct msm_ois_cfg_data32 *)arg; parg = arg; - ois_data.cfgtype = u32->cfgtype; - switch (cmd) { case VIDIOC_MSM_OIS_CFG32: cmd = VIDIOC_MSM_OIS_CFG; + ois_data.cfgtype = u32->cfgtype; switch (u32->cfgtype) { case CFG_OIS_CONTROL: