Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f994f200 authored by Jigarkumar Zala's avatar Jigarkumar Zala Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: eeprom: Fix OOB condition for memory map count 



Fix OOB check for memory map count to access correct memory map.

Change-Id: Ifa3d323103725e4df57e86295bb7567835654b71
Signed-off-by: default avatarJigarkumar Zala <jzala@codeaurora.org>
Signed-off-by: default avatarSridhar Gujje <sgujje@codeaurora.org>
parent 802d279d

drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c

+7 −6
Original line number Diff line number Diff line
@@ -439,8 +439,9 @@ static int32_t cam_eeprom_parse_memory_map( 
	else if (cmm_hdr->cmd_type == CAMERA_SENSOR_CMD_TYPE_WAIT)

		validate_size = sizeof(struct cam_cmd_unconditional_wait);



	if (remain_buf_len < validate_size || *num_map >=

		(MSM_EEPROM_MEMORY_MAP_MAX_SIZE * MSM_EEPROM_MAX_MEM_MAP_CNT)) {

	if (remain_buf_len < validate_size ||

	    *num_map >= (MSM_EEPROM_MAX_MEM_MAP_CNT *

		MSM_EEPROM_MEMORY_MAP_MAX_SIZE)) {

		CAM_ERR(CAM_EEPROM, "not enough buffer");

		return -EINVAL;

	}
@@ -449,10 +450,10 @@ static int32_t cam_eeprom_parse_memory_map( 
		i2c_random_wr = (struct cam_cmd_i2c_random_wr *)cmd_buf;



		if (i2c_random_wr->header.count == 0 ||

			i2c_random_wr->header.count >=

			(MSM_EEPROM_MEMORY_MAP_MAX_SIZE *

			MSM_EEPROM_MAX_MEM_MAP_CNT) ||

		    (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) {

		    i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||

		    (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT *

				MSM_EEPROM_MEMORY_MAP_MAX_SIZE) -

				i2c_random_wr->header.count)) {

			CAM_ERR(CAM_EEPROM, "OOB Error");

			return -EINVAL;

		}