Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2fa3ca67 authored by Raja Mallik's avatar Raja Mallik
Browse files

msm: camera_v3: eeprom: Fix OOB condition for memory map count 



Fix OOB check for memory map count to access correct memory map.

Change-Id: Ib41d1582d8fb0dbdc0a2e3e09873a84d74f55bce
Signed-off-by: default avatarJigarkumar Zala <jzala@codeaurora.org>
Signed-off-by: default avatarSridhar Gujje <sgujje@codeaurora.org>
Signed-off-by: default avatarRaja Mallik <rmallik@codeaurora.org>
parent f18104ef

drivers/media/platform/msm/camera_v3/cam_sensor_module/cam_eeprom/cam_eeprom_core.c

+5 −2
Original line number Diff line number Diff line
@@ -440,7 +440,8 @@ static int32_t cam_eeprom_parse_memory_map( 
		validate_size = sizeof(struct cam_cmd_unconditional_wait);



	if (remain_buf_len < validate_size ||

	    *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) {

	    *num_map >= (MSM_EEPROM_MAX_MEM_MAP_CNT *

		MSM_EEPROM_MEMORY_MAP_MAX_SIZE)) {

		CAM_ERR(CAM_EEPROM, "not enough buffer");

		return -EINVAL;

	}
@@ -450,7 +451,9 @@ static int32_t cam_eeprom_parse_memory_map( 


		if (i2c_random_wr->header.count == 0 ||

		    i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||

		    (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) {

		    (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT *

				MSM_EEPROM_MEMORY_MAP_MAX_SIZE) -

				i2c_random_wr->header.count)) {

			CAM_ERR(CAM_EEPROM, "OOB Error");

			return -EINVAL;

		}