Loading drivers/media/platform/msm/camera/cam_sensor_module/cam_actuator/cam_actuator_core.c +30 −6 Original line number Diff line number Diff line Loading @@ -413,6 +413,7 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl, int32_t i = 0; uint32_t total_cmd_buf_in_bytes = 0; size_t len_of_buff = 0; size_t remaining_len_of_buff = 0; uint32_t *offset = NULL; uint32_t *cmd_buf = NULL; uintptr_t generic_ptr; Loading Loading @@ -450,18 +451,31 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl, return rc; } if (config.offset > len_of_buff) { remaining_len_of_buff = len_of_buff; if ((sizeof(struct cam_packet) > len_of_buff) || ((size_t)config.offset >= len_of_buff - sizeof(struct cam_packet))) { CAM_ERR(CAM_ACTUATOR, "offset is out of bounds: offset: %lld len: %zu", config.offset, len_of_buff); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= config.offset; csl_packet = (struct cam_packet *) (generic_pkt_ptr + (uint32_t)config.offset); CAM_DBG(CAM_ACTUATOR, "Pkt opcode: %d", csl_packet->header.op_code); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_ACTUATOR, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= sizeof(struct cam_packet); CAM_DBG(CAM_ACTUATOR, "Pkt opcode: %d", csl_packet->header.op_code); if ((csl_packet->header.op_code & 0xFFFFFF) != CAM_ACTUATOR_PACKET_OPCODE_INIT && Loading @@ -470,12 +484,22 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl, CAM_DBG(CAM_ACTUATOR, "reject request %lld, last request to flush %lld", csl_packet->header.request_id, a_ctrl->last_flush_req); return -EINVAL; rc = -EINVAL; goto rel_pkt_buf; } if (csl_packet->header.request_id > a_ctrl->last_flush_req) a_ctrl->last_flush_req = 0; if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_ACTUATOR, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } switch (csl_packet->header.op_code & 0xFFFFFF) { case CAM_ACTUATOR_PACKET_OPCODE_INIT: offset = (uint32_t *)&csl_packet->payload; Loading drivers/media/platform/msm/camera/cam_sensor_module/cam_csiphy/cam_csiphy_core.c +25 −3 Original line number Diff line number Diff line Loading @@ -165,6 +165,7 @@ int32_t cam_cmd_buf_parser(struct csiphy_device *csiphy_dev, uint32_t *cmd_buf = NULL; struct cam_csiphy_info *cam_cmd_csiphy_info = NULL; size_t len; size_t remaining_len_of_buff; if (!cfg_dev || !csiphy_dev) { CAM_ERR(CAM_CSIPHY, "Invalid Args"); Loading @@ -178,17 +179,38 @@ int32_t cam_cmd_buf_parser(struct csiphy_device *csiphy_dev, return rc; } if (cfg_dev->offset > len) { remaining_len_of_buff = len; if ((sizeof(struct cam_packet) > len) || ((size_t)cfg_dev->offset >= len - sizeof(struct cam_packet))) { CAM_ERR(CAM_CSIPHY, "offset is out of bounds: offset: %lld len: %zu", cfg_dev->offset, len); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= cfg_dev->offset; csl_packet = (struct cam_packet *) (generic_pkt_ptr + (uint32_t)cfg_dev->offset); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_CSIPHY, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= sizeof(struct cam_packet); if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_CSIPHY, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } cmd_desc = (struct cam_cmd_buf_desc *) ((uint32_t *)&csl_packet->payload + csl_packet->cmd_buf_offset / 4); Loading drivers/media/platform/msm/camera/cam_sensor_module/cam_flash/cam_flash_core.c +52 −11 Original line number Diff line number Diff line Loading @@ -904,6 +904,7 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) uint32_t *offset = NULL; uint32_t frm_offset = 0; size_t len_of_buffer; size_t remaining_len_of_buff; struct cam_flash_init *flash_init = NULL; struct common_header *cmn_hdr = NULL; struct cam_control *ioctl_ctrl = NULL; Loading Loading @@ -931,20 +932,30 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) rc = cam_mem_get_cpu_buf(config.packet_handle, &generic_ptr, &len_of_buffer); if (rc) { CAM_ERR(CAM_FLASH, "Failed in getting the buffer : %d", rc); CAM_ERR(CAM_FLASH, "Failed in getting the packet : %d", rc); return rc; } if (config.offset > len_of_buffer) { remaining_len_of_buff = len_of_buffer; if ((sizeof(struct cam_packet) > len_of_buffer) || ((size_t)config.offset >= len_of_buffer - sizeof(struct cam_packet))) { CAM_ERR(CAM_FLASH, "offset is out of bounds: offset: %lld len: %zu", config.offset, len_of_buffer); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len_of_buffer); return -EINVAL; } remaining_len_of_buff -= config.offset; /* Add offset to the flash csl header */ csl_packet = (struct cam_packet *)(generic_ptr + config.offset); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_FLASH, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); return -EINVAL; } if ((csl_packet->header.op_code & 0xFFFFFF) != CAM_FLASH_PACKET_OPCODE_INIT && csl_packet->header.request_id <= fctrl->last_flush_req Loading @@ -958,6 +969,14 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) if (csl_packet->header.request_id > fctrl->last_flush_req) fctrl->last_flush_req = 0; remaining_len_of_buff -= sizeof(struct cam_packet); if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_FLASH, "InVal len: %zu", remaining_len_of_buff); return -EINVAL; } switch (csl_packet->header.op_code & 0xFFFFFF) { case CAM_FLASH_PACKET_OPCODE_INIT: { /* INIT packet*/ Loading Loading @@ -1224,6 +1243,7 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) uint32_t *offset = NULL; uint32_t frm_offset = 0; size_t len_of_buffer; size_t remaining_len_of_buff; struct cam_control *ioctl_ctrl = NULL; struct cam_packet *csl_packet = NULL; struct cam_cmd_buf_desc *cmd_desc = NULL; Loading Loading @@ -1259,21 +1279,32 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) rc = cam_mem_get_cpu_buf(config.packet_handle, &generic_ptr, &len_of_buffer); if (rc) { CAM_ERR(CAM_FLASH, "Failed in getting the buffer : %d", rc); CAM_ERR(CAM_FLASH, "Failed in getting the packet: %d", rc); return rc; } if (config.offset > len_of_buffer) { remaining_len_of_buff = len_of_buffer; if ((sizeof(struct cam_packet) > len_of_buffer) || ((size_t)config.offset >= len_of_buffer - sizeof(struct cam_packet))) { CAM_ERR(CAM_FLASH, "offset is out of bounds: offset: %lld len: %zu", config.offset, len_of_buffer); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len_of_buffer); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= config.offset; /* Add offset to the flash csl header */ csl_packet = (struct cam_packet *)(generic_ptr + (uint32_t)config.offset); csl_packet = (struct cam_packet *)(generic_ptr + config.offset); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_FLASH, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } if ((csl_packet->header.op_code & 0xFFFFFF) != CAM_FLASH_PACKET_OPCODE_INIT && Loading @@ -1289,6 +1320,16 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) if (csl_packet->header.request_id > fctrl->last_flush_req) fctrl->last_flush_req = 0; remaining_len_of_buff -= sizeof(struct cam_packet); if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_FLASH, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } switch (csl_packet->header.op_code & 0xFFFFFF) { case CAM_FLASH_PACKET_OPCODE_INIT: { /* INIT packet*/ Loading drivers/media/platform/msm/camera/cam_sensor_module/cam_ois/cam_ois_core.c +27 −3 Original line number Diff line number Diff line Loading @@ -433,6 +433,7 @@ static int cam_ois_pkt_parse(struct cam_ois_ctrl_t *o_ctrl, void *arg) struct cam_cmd_buf_desc *cmd_desc = NULL; uintptr_t generic_pkt_addr; size_t pkt_len; size_t remaining_len_of_buff = 0; struct cam_packet *csl_packet = NULL; size_t len_of_buff = 0; uint32_t *offset = NULL, *cmd_buf; Loading @@ -453,16 +454,39 @@ static int cam_ois_pkt_parse(struct cam_ois_ctrl_t *o_ctrl, void *arg) return rc; } if (dev_config.offset > pkt_len) { remaining_len_of_buff = pkt_len; if ((sizeof(struct cam_packet) > pkt_len) || ((size_t)dev_config.offset >= pkt_len - sizeof(struct cam_packet))) { CAM_ERR(CAM_OIS, "offset is out of bound: off: %lld len: %zu", dev_config.offset, pkt_len); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), pkt_len); rc = -EINVAL; goto rel_pkt; } remaining_len_of_buff -= dev_config.offset; csl_packet = (struct cam_packet *) (generic_pkt_addr + (uint32_t)dev_config.offset); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_OIS, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt; } remaining_len_of_buff -= sizeof(struct cam_packet); if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_OIS, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt; } switch (csl_packet->header.op_code & 0xFFFFFF) { case CAM_OIS_PACKET_OPCODE_INIT: offset = (uint32_t *)&csl_packet->payload; Loading drivers/media/platform/msm/camera/cam_sensor_module/cam_sensor/cam_sensor_core.c +28 −4 Original line number Diff line number Diff line Loading @@ -94,6 +94,7 @@ static int32_t cam_sensor_i2c_pkt_parse(struct cam_sensor_ctrl_t *s_ctrl, struct cam_cmd_buf_desc *cmd_desc = NULL; struct i2c_settings_array *i2c_reg_settings = NULL; size_t len_of_buff = 0; size_t remaining_len_of_buff = 0; uint32_t *offset = NULL; struct cam_config_dev_cmd config; struct i2c_data_settings *i2c_data = NULL; Loading @@ -115,20 +116,35 @@ static int32_t cam_sensor_i2c_pkt_parse(struct cam_sensor_ctrl_t *s_ctrl, &generic_ptr, &len_of_buff); if (rc < 0) { CAM_ERR(CAM_SENSOR, "Failed in getting the buffer: %d", rc); CAM_ERR(CAM_SENSOR, "Failed in getting the packet: %d", rc); return rc; } remaining_len_of_buff = len_of_buff; if ((sizeof(struct cam_packet) > len_of_buff) || ((size_t)config.offset >= len_of_buff - sizeof(struct cam_packet))) { CAM_ERR(CAM_SENSOR, "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= config.offset; csl_packet = (struct cam_packet *)(generic_ptr + (uint32_t)config.offset); if (config.offset > len_of_buff) { if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_SENSOR, "offset is out of bounds: off: %lld len: %zu", config.offset, len_of_buff); "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= sizeof(struct cam_packet); if ((csl_packet->header.op_code & 0xFFFFFF) != CAM_SENSOR_PACKET_OPCODE_SENSOR_INITIAL_CONFIG && csl_packet->header.request_id <= s_ctrl->last_flush_req Loading Loading @@ -225,6 +241,14 @@ static int32_t cam_sensor_i2c_pkt_parse(struct cam_sensor_ctrl_t *s_ctrl, goto rel_pkt_buf; } if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_SENSOR, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } offset = (uint32_t *)&csl_packet->payload; offset += csl_packet->cmd_buf_offset / 4; cmd_desc = (struct cam_cmd_buf_desc *)(offset); Loading Loading
drivers/media/platform/msm/camera/cam_sensor_module/cam_actuator/cam_actuator_core.c +30 −6 Original line number Diff line number Diff line Loading @@ -413,6 +413,7 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl, int32_t i = 0; uint32_t total_cmd_buf_in_bytes = 0; size_t len_of_buff = 0; size_t remaining_len_of_buff = 0; uint32_t *offset = NULL; uint32_t *cmd_buf = NULL; uintptr_t generic_ptr; Loading Loading @@ -450,18 +451,31 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl, return rc; } if (config.offset > len_of_buff) { remaining_len_of_buff = len_of_buff; if ((sizeof(struct cam_packet) > len_of_buff) || ((size_t)config.offset >= len_of_buff - sizeof(struct cam_packet))) { CAM_ERR(CAM_ACTUATOR, "offset is out of bounds: offset: %lld len: %zu", config.offset, len_of_buff); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= config.offset; csl_packet = (struct cam_packet *) (generic_pkt_ptr + (uint32_t)config.offset); CAM_DBG(CAM_ACTUATOR, "Pkt opcode: %d", csl_packet->header.op_code); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_ACTUATOR, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= sizeof(struct cam_packet); CAM_DBG(CAM_ACTUATOR, "Pkt opcode: %d", csl_packet->header.op_code); if ((csl_packet->header.op_code & 0xFFFFFF) != CAM_ACTUATOR_PACKET_OPCODE_INIT && Loading @@ -470,12 +484,22 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl, CAM_DBG(CAM_ACTUATOR, "reject request %lld, last request to flush %lld", csl_packet->header.request_id, a_ctrl->last_flush_req); return -EINVAL; rc = -EINVAL; goto rel_pkt_buf; } if (csl_packet->header.request_id > a_ctrl->last_flush_req) a_ctrl->last_flush_req = 0; if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_ACTUATOR, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } switch (csl_packet->header.op_code & 0xFFFFFF) { case CAM_ACTUATOR_PACKET_OPCODE_INIT: offset = (uint32_t *)&csl_packet->payload; Loading
drivers/media/platform/msm/camera/cam_sensor_module/cam_csiphy/cam_csiphy_core.c +25 −3 Original line number Diff line number Diff line Loading @@ -165,6 +165,7 @@ int32_t cam_cmd_buf_parser(struct csiphy_device *csiphy_dev, uint32_t *cmd_buf = NULL; struct cam_csiphy_info *cam_cmd_csiphy_info = NULL; size_t len; size_t remaining_len_of_buff; if (!cfg_dev || !csiphy_dev) { CAM_ERR(CAM_CSIPHY, "Invalid Args"); Loading @@ -178,17 +179,38 @@ int32_t cam_cmd_buf_parser(struct csiphy_device *csiphy_dev, return rc; } if (cfg_dev->offset > len) { remaining_len_of_buff = len; if ((sizeof(struct cam_packet) > len) || ((size_t)cfg_dev->offset >= len - sizeof(struct cam_packet))) { CAM_ERR(CAM_CSIPHY, "offset is out of bounds: offset: %lld len: %zu", cfg_dev->offset, len); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= cfg_dev->offset; csl_packet = (struct cam_packet *) (generic_pkt_ptr + (uint32_t)cfg_dev->offset); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_CSIPHY, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= sizeof(struct cam_packet); if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_CSIPHY, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } cmd_desc = (struct cam_cmd_buf_desc *) ((uint32_t *)&csl_packet->payload + csl_packet->cmd_buf_offset / 4); Loading
drivers/media/platform/msm/camera/cam_sensor_module/cam_flash/cam_flash_core.c +52 −11 Original line number Diff line number Diff line Loading @@ -904,6 +904,7 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) uint32_t *offset = NULL; uint32_t frm_offset = 0; size_t len_of_buffer; size_t remaining_len_of_buff; struct cam_flash_init *flash_init = NULL; struct common_header *cmn_hdr = NULL; struct cam_control *ioctl_ctrl = NULL; Loading Loading @@ -931,20 +932,30 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) rc = cam_mem_get_cpu_buf(config.packet_handle, &generic_ptr, &len_of_buffer); if (rc) { CAM_ERR(CAM_FLASH, "Failed in getting the buffer : %d", rc); CAM_ERR(CAM_FLASH, "Failed in getting the packet : %d", rc); return rc; } if (config.offset > len_of_buffer) { remaining_len_of_buff = len_of_buffer; if ((sizeof(struct cam_packet) > len_of_buffer) || ((size_t)config.offset >= len_of_buffer - sizeof(struct cam_packet))) { CAM_ERR(CAM_FLASH, "offset is out of bounds: offset: %lld len: %zu", config.offset, len_of_buffer); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len_of_buffer); return -EINVAL; } remaining_len_of_buff -= config.offset; /* Add offset to the flash csl header */ csl_packet = (struct cam_packet *)(generic_ptr + config.offset); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_FLASH, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); return -EINVAL; } if ((csl_packet->header.op_code & 0xFFFFFF) != CAM_FLASH_PACKET_OPCODE_INIT && csl_packet->header.request_id <= fctrl->last_flush_req Loading @@ -958,6 +969,14 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) if (csl_packet->header.request_id > fctrl->last_flush_req) fctrl->last_flush_req = 0; remaining_len_of_buff -= sizeof(struct cam_packet); if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_FLASH, "InVal len: %zu", remaining_len_of_buff); return -EINVAL; } switch (csl_packet->header.op_code & 0xFFFFFF) { case CAM_FLASH_PACKET_OPCODE_INIT: { /* INIT packet*/ Loading Loading @@ -1224,6 +1243,7 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) uint32_t *offset = NULL; uint32_t frm_offset = 0; size_t len_of_buffer; size_t remaining_len_of_buff; struct cam_control *ioctl_ctrl = NULL; struct cam_packet *csl_packet = NULL; struct cam_cmd_buf_desc *cmd_desc = NULL; Loading Loading @@ -1259,21 +1279,32 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) rc = cam_mem_get_cpu_buf(config.packet_handle, &generic_ptr, &len_of_buffer); if (rc) { CAM_ERR(CAM_FLASH, "Failed in getting the buffer : %d", rc); CAM_ERR(CAM_FLASH, "Failed in getting the packet: %d", rc); return rc; } if (config.offset > len_of_buffer) { remaining_len_of_buff = len_of_buffer; if ((sizeof(struct cam_packet) > len_of_buffer) || ((size_t)config.offset >= len_of_buffer - sizeof(struct cam_packet))) { CAM_ERR(CAM_FLASH, "offset is out of bounds: offset: %lld len: %zu", config.offset, len_of_buffer); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len_of_buffer); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= config.offset; /* Add offset to the flash csl header */ csl_packet = (struct cam_packet *)(generic_ptr + (uint32_t)config.offset); csl_packet = (struct cam_packet *)(generic_ptr + config.offset); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_FLASH, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } if ((csl_packet->header.op_code & 0xFFFFFF) != CAM_FLASH_PACKET_OPCODE_INIT && Loading @@ -1289,6 +1320,16 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) if (csl_packet->header.request_id > fctrl->last_flush_req) fctrl->last_flush_req = 0; remaining_len_of_buff -= sizeof(struct cam_packet); if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_FLASH, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } switch (csl_packet->header.op_code & 0xFFFFFF) { case CAM_FLASH_PACKET_OPCODE_INIT: { /* INIT packet*/ Loading
drivers/media/platform/msm/camera/cam_sensor_module/cam_ois/cam_ois_core.c +27 −3 Original line number Diff line number Diff line Loading @@ -433,6 +433,7 @@ static int cam_ois_pkt_parse(struct cam_ois_ctrl_t *o_ctrl, void *arg) struct cam_cmd_buf_desc *cmd_desc = NULL; uintptr_t generic_pkt_addr; size_t pkt_len; size_t remaining_len_of_buff = 0; struct cam_packet *csl_packet = NULL; size_t len_of_buff = 0; uint32_t *offset = NULL, *cmd_buf; Loading @@ -453,16 +454,39 @@ static int cam_ois_pkt_parse(struct cam_ois_ctrl_t *o_ctrl, void *arg) return rc; } if (dev_config.offset > pkt_len) { remaining_len_of_buff = pkt_len; if ((sizeof(struct cam_packet) > pkt_len) || ((size_t)dev_config.offset >= pkt_len - sizeof(struct cam_packet))) { CAM_ERR(CAM_OIS, "offset is out of bound: off: %lld len: %zu", dev_config.offset, pkt_len); "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), pkt_len); rc = -EINVAL; goto rel_pkt; } remaining_len_of_buff -= dev_config.offset; csl_packet = (struct cam_packet *) (generic_pkt_addr + (uint32_t)dev_config.offset); if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_OIS, "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt; } remaining_len_of_buff -= sizeof(struct cam_packet); if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_OIS, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt; } switch (csl_packet->header.op_code & 0xFFFFFF) { case CAM_OIS_PACKET_OPCODE_INIT: offset = (uint32_t *)&csl_packet->payload; Loading
drivers/media/platform/msm/camera/cam_sensor_module/cam_sensor/cam_sensor_core.c +28 −4 Original line number Diff line number Diff line Loading @@ -94,6 +94,7 @@ static int32_t cam_sensor_i2c_pkt_parse(struct cam_sensor_ctrl_t *s_ctrl, struct cam_cmd_buf_desc *cmd_desc = NULL; struct i2c_settings_array *i2c_reg_settings = NULL; size_t len_of_buff = 0; size_t remaining_len_of_buff = 0; uint32_t *offset = NULL; struct cam_config_dev_cmd config; struct i2c_data_settings *i2c_data = NULL; Loading @@ -115,20 +116,35 @@ static int32_t cam_sensor_i2c_pkt_parse(struct cam_sensor_ctrl_t *s_ctrl, &generic_ptr, &len_of_buff); if (rc < 0) { CAM_ERR(CAM_SENSOR, "Failed in getting the buffer: %d", rc); CAM_ERR(CAM_SENSOR, "Failed in getting the packet: %d", rc); return rc; } remaining_len_of_buff = len_of_buff; if ((sizeof(struct cam_packet) > len_of_buff) || ((size_t)config.offset >= len_of_buff - sizeof(struct cam_packet))) { CAM_ERR(CAM_SENSOR, "Inval cam_packet strut size: %zu, len_of_buff: %zu", sizeof(struct cam_packet), len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= config.offset; csl_packet = (struct cam_packet *)(generic_ptr + (uint32_t)config.offset); if (config.offset > len_of_buff) { if (((size_t)(csl_packet->header.size) > remaining_len_of_buff)) { CAM_ERR(CAM_SENSOR, "offset is out of bounds: off: %lld len: %zu", config.offset, len_of_buff); "Inval pkt_header_size: %zu, len:of_buff: %zu", csl_packet->header.size, remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } remaining_len_of_buff -= sizeof(struct cam_packet); if ((csl_packet->header.op_code & 0xFFFFFF) != CAM_SENSOR_PACKET_OPCODE_SENSOR_INITIAL_CONFIG && csl_packet->header.request_id <= s_ctrl->last_flush_req Loading Loading @@ -225,6 +241,14 @@ static int32_t cam_sensor_i2c_pkt_parse(struct cam_sensor_ctrl_t *s_ctrl, goto rel_pkt_buf; } if ((sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff) || (csl_packet->num_cmd_buf * sizeof(struct cam_cmd_buf_desc) > remaining_len_of_buff)) { CAM_ERR(CAM_SENSOR, "InVal len: %zu", remaining_len_of_buff); rc = -EINVAL; goto rel_pkt_buf; } offset = (uint32_t *)&csl_packet->payload; offset += csl_packet->cmd_buf_offset / 4; cmd_desc = (struct cam_cmd_buf_desc *)(offset); Loading
