Loading drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c +18 −1 Original line number Diff line number Diff line Loading @@ -434,17 +434,29 @@ static int32_t cam_eeprom_parse_memory_map( else if (cmm_hdr->cmd_type == CAMERA_SENSOR_CMD_TYPE_WAIT) validate_size = sizeof(struct cam_cmd_unconditional_wait); if (remain_buf_len < validate_size) { if (remain_buf_len < validate_size || *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) { CAM_ERR(CAM_EEPROM, "not enough buffer"); return -EINVAL; } switch (cmm_hdr->cmd_type) { case CAMERA_SENSOR_CMD_TYPE_I2C_RNDM_WR: i2c_random_wr = (struct cam_cmd_i2c_random_wr *)cmd_buf; if (i2c_random_wr->header.count == 0 || i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT || (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) { CAM_ERR(CAM_EEPROM, "OOB Error"); return -EINVAL; } cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_random_wr) + ((i2c_random_wr->header.count - 1) * sizeof(struct i2c_random_wr_payload)); if (cmd_length_in_bytes > remain_buf_len) { CAM_ERR(CAM_EEPROM, "Not enough buffer remaining"); return -EINVAL; } for (cnt = 0; cnt < (i2c_random_wr->header.count); cnt++) { map[*num_map + cnt].page.addr = Loading @@ -467,6 +479,11 @@ static int32_t cam_eeprom_parse_memory_map( i2c_cont_rd = (struct cam_cmd_i2c_continuous_rd *)cmd_buf; cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_continuous_rd); if (i2c_cont_rd->header.count >= U32_MAX - data->num_data) { CAM_ERR(CAM_EEPROM, "int overflow on eeprom memory block"); return -EINVAL; } map[*num_map].mem.addr = i2c_cont_rd->reg_addr; map[*num_map].mem.addr_type = i2c_cont_rd->header.addr_type; map[*num_map].mem.data_type = i2c_cont_rd->header.data_type; Loading Loading
drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c +18 −1 Original line number Diff line number Diff line Loading @@ -434,17 +434,29 @@ static int32_t cam_eeprom_parse_memory_map( else if (cmm_hdr->cmd_type == CAMERA_SENSOR_CMD_TYPE_WAIT) validate_size = sizeof(struct cam_cmd_unconditional_wait); if (remain_buf_len < validate_size) { if (remain_buf_len < validate_size || *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) { CAM_ERR(CAM_EEPROM, "not enough buffer"); return -EINVAL; } switch (cmm_hdr->cmd_type) { case CAMERA_SENSOR_CMD_TYPE_I2C_RNDM_WR: i2c_random_wr = (struct cam_cmd_i2c_random_wr *)cmd_buf; if (i2c_random_wr->header.count == 0 || i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT || (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) { CAM_ERR(CAM_EEPROM, "OOB Error"); return -EINVAL; } cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_random_wr) + ((i2c_random_wr->header.count - 1) * sizeof(struct i2c_random_wr_payload)); if (cmd_length_in_bytes > remain_buf_len) { CAM_ERR(CAM_EEPROM, "Not enough buffer remaining"); return -EINVAL; } for (cnt = 0; cnt < (i2c_random_wr->header.count); cnt++) { map[*num_map + cnt].page.addr = Loading @@ -467,6 +479,11 @@ static int32_t cam_eeprom_parse_memory_map( i2c_cont_rd = (struct cam_cmd_i2c_continuous_rd *)cmd_buf; cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_continuous_rd); if (i2c_cont_rd->header.count >= U32_MAX - data->num_data) { CAM_ERR(CAM_EEPROM, "int overflow on eeprom memory block"); return -EINVAL; } map[*num_map].mem.addr = i2c_cont_rd->reg_addr; map[*num_map].mem.addr_type = i2c_cont_rd->header.addr_type; map[*num_map].mem.data_type = i2c_cont_rd->header.data_type; Loading
