Loading drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c +11 −8 Original line number Diff line number Diff line Loading @@ -424,6 +424,7 @@ static int32_t cam_eeprom_parse_memory_map( int32_t rc = 0; int32_t cnt = 0; int32_t processed_size = 0; int32_t payload_count; uint8_t generic_op_code; struct cam_eeprom_memory_map_t *map = data->map; struct common_header *cmm_hdr = Loading Loading @@ -453,24 +454,25 @@ static int32_t cam_eeprom_parse_memory_map( switch (cmm_hdr->cmd_type) { case CAMERA_SENSOR_CMD_TYPE_I2C_RNDM_WR: i2c_random_wr = (struct cam_cmd_i2c_random_wr *)cmd_buf; payload_count = i2c_random_wr->header.count; if (i2c_random_wr->header.count == 0 || i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT || if (payload_count == 0 || payload_count >= MSM_EEPROM_MAX_MEM_MAP_CNT || (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT * MSM_EEPROM_MEMORY_MAP_MAX_SIZE) - i2c_random_wr->header.count)) { payload_count)) { CAM_ERR(CAM_EEPROM, "OOB Error"); return -EINVAL; } cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_random_wr) + ((i2c_random_wr->header.count - 1) * ((payload_count - 1) * sizeof(struct i2c_random_wr_payload)); if (cmd_length_in_bytes > remain_buf_len) { CAM_ERR(CAM_EEPROM, "Not enough buffer remaining"); return -EINVAL; } for (cnt = 0; cnt < (i2c_random_wr->header.count); for (cnt = 0; cnt < (payload_count); cnt++) { map[*num_map + cnt].page.addr = i2c_random_wr->random_wr_payload[cnt].reg_addr; Loading @@ -483,7 +485,7 @@ static int32_t cam_eeprom_parse_memory_map( map[*num_map + cnt].page.valid_size = 1; } *num_map += (i2c_random_wr->header.count - 1); *num_map += (payload_count - 1); cmd_buf += cmd_length_in_bytes / sizeof(int32_t); processed_size += cmd_length_in_bytes; Loading @@ -491,8 +493,9 @@ static int32_t cam_eeprom_parse_memory_map( case CAMERA_SENSOR_CMD_TYPE_I2C_CONT_RD: i2c_cont_rd = (struct cam_cmd_i2c_continuous_rd *)cmd_buf; cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_continuous_rd); payload_count = i2c_cont_rd->header.count; if (i2c_cont_rd->header.count >= U32_MAX - data->num_data) { if (payload_count >= U32_MAX - data->num_data) { CAM_ERR(CAM_EEPROM, "int overflow on eeprom memory block"); return -EINVAL; Loading @@ -501,7 +504,7 @@ static int32_t cam_eeprom_parse_memory_map( map[*num_map].mem.addr_type = i2c_cont_rd->header.addr_type; map[*num_map].mem.data_type = i2c_cont_rd->header.data_type; map[*num_map].mem.valid_size = i2c_cont_rd->header.count; payload_count; cmd_buf += cmd_length_in_bytes / sizeof(int32_t); processed_size += cmd_length_in_bytes; Loading Loading
drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c +11 −8 Original line number Diff line number Diff line Loading @@ -424,6 +424,7 @@ static int32_t cam_eeprom_parse_memory_map( int32_t rc = 0; int32_t cnt = 0; int32_t processed_size = 0; int32_t payload_count; uint8_t generic_op_code; struct cam_eeprom_memory_map_t *map = data->map; struct common_header *cmm_hdr = Loading Loading @@ -453,24 +454,25 @@ static int32_t cam_eeprom_parse_memory_map( switch (cmm_hdr->cmd_type) { case CAMERA_SENSOR_CMD_TYPE_I2C_RNDM_WR: i2c_random_wr = (struct cam_cmd_i2c_random_wr *)cmd_buf; payload_count = i2c_random_wr->header.count; if (i2c_random_wr->header.count == 0 || i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT || if (payload_count == 0 || payload_count >= MSM_EEPROM_MAX_MEM_MAP_CNT || (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT * MSM_EEPROM_MEMORY_MAP_MAX_SIZE) - i2c_random_wr->header.count)) { payload_count)) { CAM_ERR(CAM_EEPROM, "OOB Error"); return -EINVAL; } cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_random_wr) + ((i2c_random_wr->header.count - 1) * ((payload_count - 1) * sizeof(struct i2c_random_wr_payload)); if (cmd_length_in_bytes > remain_buf_len) { CAM_ERR(CAM_EEPROM, "Not enough buffer remaining"); return -EINVAL; } for (cnt = 0; cnt < (i2c_random_wr->header.count); for (cnt = 0; cnt < (payload_count); cnt++) { map[*num_map + cnt].page.addr = i2c_random_wr->random_wr_payload[cnt].reg_addr; Loading @@ -483,7 +485,7 @@ static int32_t cam_eeprom_parse_memory_map( map[*num_map + cnt].page.valid_size = 1; } *num_map += (i2c_random_wr->header.count - 1); *num_map += (payload_count - 1); cmd_buf += cmd_length_in_bytes / sizeof(int32_t); processed_size += cmd_length_in_bytes; Loading @@ -491,8 +493,9 @@ static int32_t cam_eeprom_parse_memory_map( case CAMERA_SENSOR_CMD_TYPE_I2C_CONT_RD: i2c_cont_rd = (struct cam_cmd_i2c_continuous_rd *)cmd_buf; cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_continuous_rd); payload_count = i2c_cont_rd->header.count; if (i2c_cont_rd->header.count >= U32_MAX - data->num_data) { if (payload_count >= U32_MAX - data->num_data) { CAM_ERR(CAM_EEPROM, "int overflow on eeprom memory block"); return -EINVAL; Loading @@ -501,7 +504,7 @@ static int32_t cam_eeprom_parse_memory_map( map[*num_map].mem.addr_type = i2c_cont_rd->header.addr_type; map[*num_map].mem.data_type = i2c_cont_rd->header.data_type; map[*num_map].mem.valid_size = i2c_cont_rd->header.count; payload_count; cmd_buf += cmd_length_in_bytes / sizeof(int32_t); processed_size += cmd_length_in_bytes; Loading
