evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: camera: flash: Validate the power setting size

Browse source 
Validate the power setting size before copying.
If userspace sends a value which is greater than
MAX_POWER_CONFIG, then the driver accesses unintended memory.
This change will fix the issue.

CRs-Fixed: 1093232
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Ia49963248a94765baa19695294b197ea6f3bb8e2
This commit is contained in:
Rajesh Bondugula 2016-11-22 11:04:04 -08:00
parent cd316285c5
commit 8236d6ebc7
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
View file

@ -269,6 +269,16 @@ static int32_t msm_flash_i2c_init(
flash_ctrl->power_info.power_down_setting_size =
flash_ctrl->power_setting_array.size_down;
if ((flash_ctrl->power_info.power_setting_size > MAX_POWER_CONFIG) ||
(flash_ctrl->power_info.power_down_setting_size > MAX_POWER_CONFIG)) {
pr_err("%s:%d invalid power setting size=%d size_down=%d\n",
__func__, __LINE__,
flash_ctrl->power_info.power_setting_size,
flash_ctrl->power_info.power_down_setting_size);
rc = -EINVAL;
goto msm_flash_i2c_init_fail;
}
rc = msm_camera_power_up(&flash_ctrl->power_info,
flash_ctrl->flash_device_type,
&flash_ctrl->flash_i2c_client);