Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0985a2a9 authored by qctecmdr's avatar qctecmdr Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: camera: eeprom: Fix OOB condition for memory map count"

parents 3e1a16d8 b3fd7723

drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c

+5 −2
Original line number Original line Diff line number Diff line
@@ -439,7 +439,8 @@ static int32_t cam_eeprom_parse_memory_map( 
		validate_size = sizeof(struct cam_cmd_unconditional_wait);

		validate_size = sizeof(struct cam_cmd_unconditional_wait);





	if (remain_buf_len < validate_size ||

	if (remain_buf_len < validate_size ||

	    *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) {

	    *num_map >= (MSM_EEPROM_MAX_MEM_MAP_CNT *

		MSM_EEPROM_MEMORY_MAP_MAX_SIZE)) {

		CAM_ERR(CAM_EEPROM, "not enough buffer");

		CAM_ERR(CAM_EEPROM, "not enough buffer");

		return -EINVAL;

		return -EINVAL;

	}

	}
@@ -449,7 +450,9 @@ static int32_t cam_eeprom_parse_memory_map( 




		if (i2c_random_wr->header.count == 0 ||

		if (i2c_random_wr->header.count == 0 ||

		    i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||

		    i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||

		    (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) {

		    (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT *

				MSM_EEPROM_MEMORY_MAP_MAX_SIZE) -

				i2c_random_wr->header.count)) {

			CAM_ERR(CAM_EEPROM, "OOB Error");

			CAM_ERR(CAM_EEPROM, "OOB Error");

			return -EINVAL;

			return -EINVAL;

		}

		}