evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: mdss: Check for buffer boundary condition in panel_debug_reg_write

Browse source 
- Before reading from new offset in a buffer, check for out
of bounds condition.
- Avoid using '%n' specifier.
- Use kstrtouint() instead of single variable sscanf
as per coding guidelines.

Change-Id: I10ea6f2b22d554d02f302f5700f6674d08e4777d
Signed-off-by: Krishna Srinivas <krisrini@codeaurora.org>
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
This commit is contained in:
Krishna Srinivas 2016-06-21 17:05:37 -07:00 committed by Harsh Sahu
parent b11c90dac5
commit ab04957588
1 changed files with 14 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
drivers/video/fbdev/msm/mdss_debug.c
View file

@ -39,6 +39,9 @@
#define PANEL_CMD_MIN_TX_COUNT 2
#define PANEL_DATA_NODE_LEN 80
/* Hex number + whitespace */
#define NEXT_VALUE_OFFSET 3
#define INVALID_XIN_ID 0xFF
static char panel_reg[2] = {DEFAULT_READ_PANEL_POWER_MODE_REG, 0x00};
@ -129,7 +132,7 @@ static ssize_t panel_debug_base_reg_write(struct file *file,
struct mdss_debug_base *dbg = file->private_data;
char buf[PANEL_TX_MAX_BUF] = {0x0};
char reg[PANEL_TX_MAX_BUF] = {0x0};
u32 len = 0, step = 0, value = 0;
u32 len = 0, value = 0;
char *bufp;
struct mdss_data_type *mdata = mdss_res;
@ -152,13 +155,21 @@ static ssize_t panel_debug_base_reg_write(struct file *file,
buf[count] = 0; /* end of string */
bufp = buf;
while (sscanf(bufp, "%x%n", &value, &step) > 0) {
/* End of a hex value in given string */
bufp[NEXT_VALUE_OFFSET - 1] = 0;
while (kstrtouint(bufp, 16, &value) == 0) {
reg[len++] = value;
if (len >= PANEL_TX_MAX_BUF) {
pr_err("wrong input reg len\n");
return -EFAULT;
}
bufp += step;
bufp += NEXT_VALUE_OFFSET;
if ((bufp >= (buf + count)) || (bufp < buf)) {
pr_warn("%s,buffer out-of-bounds\n", __func__);
break;
}
/* End of a hex value in given string */
bufp[NEXT_VALUE_OFFSET - 1] = 0;
}
if (len < PANEL_CMD_MIN_TX_COUNT) {
pr_err("wrong input reg len\n");