Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f51cde4a authored by Mukund Atre's avatar Mukund Atre Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: flash: Validate led count in flash packet parser 



Add upper bound on count of leds in flash packet parser.

Change-Id: I646bc92caa660e146feabdf161a178171f146115
Signed-off-by: default avatarMukund Atre <matre@codeaurora.org>
parent fc29a3de

drivers/media/platform/msm/camera/cam_sensor_module/cam_flash/cam_flash_core.c

+37 −0
Original line number Diff line number Diff line
@@ -1280,6 +1280,16 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) 


			flash_operation_info =

				(struct cam_flash_set_on_off *) cmd_buf;

			if (!flash_operation_info) {

				CAM_ERR(CAM_FLASH,

					"flash_operation_info Null");

				return -EINVAL;

			}

			if (flash_operation_info->count >

				CAM_FLASH_MAX_LED_TRIGGERS) {

				CAM_ERR(CAM_FLASH, "led count out of limit");

				return -EINVAL;

			}

			fctrl->nrt_info.cmn_attr.count =

				flash_operation_info->count;

			fctrl->nrt_info.cmn_attr.request_id = 0;
@@ -1355,6 +1365,11 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) 
					"flash_operation_info Null");

				return -EINVAL;

			}

			if (flash_operation_info->count >

				CAM_FLASH_MAX_LED_TRIGGERS) {

				CAM_ERR(CAM_FLASH, "led count out of limit");

				return -EINVAL;

			}



			flash_data->opcode = flash_operation_info->opcode;

			flash_data->cmn_attr.count =
@@ -1387,6 +1402,17 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) 
			CAM_DBG(CAM_FLASH, "Widget Flash Operation");

			flash_operation_info =

				(struct cam_flash_set_on_off *) cmd_buf;

			if (!flash_operation_info) {

				CAM_ERR(CAM_FLASH,

					"flash_operation_info Null");

				return -EINVAL;

			}

			if (flash_operation_info->count >

				CAM_FLASH_MAX_LED_TRIGGERS) {

				CAM_ERR(CAM_FLASH, "led count out of limit");

				return -EINVAL;

			}



			fctrl->nrt_info.cmn_attr.count =

				flash_operation_info->count;

			fctrl->nrt_info.cmn_attr.request_id = 0;
@@ -1426,6 +1452,17 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) 
		case CAMERA_SENSOR_FLASH_CMD_TYPE_RER: {

			rc = 0;

			flash_rer_info = (struct cam_flash_set_rer *)cmd_buf;

			if (!flash_rer_info) {

				CAM_ERR(CAM_FLASH,

					"flash_rer_info Null");

				return -EINVAL;

			}

			if (flash_rer_info->count >

				CAM_FLASH_MAX_LED_TRIGGERS) {

				CAM_ERR(CAM_FLASH, "led count out of limit");

				return -EINVAL;

			}



			fctrl->nrt_info.cmn_attr.cmd_type =

				CAMERA_SENSOR_FLASH_CMD_TYPE_RER;

			fctrl->nrt_info.opcode = flash_rer_info->opcode;