Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5935e3aa authored by Mukund Atre's avatar Mukund Atre Committed by Mukund Madhusudan Atre
Browse files

msm: camera: flash: Validate led count in flash packet parser 



Add upper bound on count of leds in flash packet parser.

Change-Id: I646bc92caa660e146feabdf161a178171f146115
Signed-off-by: default avatarMukund Atre <matre@codeaurora.org>
parent 40736b30

drivers/media/platform/msm/camera/cam_sensor_module/cam_flash/cam_flash_core.c

+44 −0
Original line number Diff line number Diff line
@@ -1374,6 +1374,18 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) 


			flash_operation_info =

				(struct cam_flash_set_on_off *) cmd_buf;

			if (!flash_operation_info) {

				CAM_ERR(CAM_FLASH,

					"flash_operation_info Null");

				rc = -EINVAL;

				goto rel_cmd_buf;

			}

			if (flash_operation_info->count >

				CAM_FLASH_MAX_LED_TRIGGERS) {

				CAM_ERR(CAM_FLASH, "led count out of limit");

				rc = -EINVAL;

				goto rel_cmd_buf;

			}

			fctrl->nrt_info.cmn_attr.count =

				flash_operation_info->count;

			fctrl->nrt_info.cmn_attr.request_id = 0;
@@ -1462,6 +1474,12 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) 
				rc = -EINVAL;

				goto rel_cmd_buf;

			}

			if (flash_operation_info->count >

				CAM_FLASH_MAX_LED_TRIGGERS) {

				CAM_ERR(CAM_FLASH, "led count out of limit");

				rc = -EINVAL;

				goto rel_cmd_buf;

			}



			flash_data->opcode = flash_operation_info->opcode;

			flash_data->cmn_attr.count =
@@ -1505,6 +1523,19 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) 
			CAM_DBG(CAM_FLASH, "Widget Flash Operation");

			flash_operation_info =

				(struct cam_flash_set_on_off *) cmd_buf;

			if (!flash_operation_info) {

				CAM_ERR(CAM_FLASH,

					"flash_operation_info Null");

				rc = -EINVAL;

				goto rel_cmd_buf;

			}

			if (flash_operation_info->count >

				CAM_FLASH_MAX_LED_TRIGGERS) {

				CAM_ERR(CAM_FLASH, "led count out of limit");

				rc = -EINVAL;

				goto rel_cmd_buf;

			}



			fctrl->nrt_info.cmn_attr.count =

				flash_operation_info->count;

			fctrl->nrt_info.cmn_attr.request_id = 0;
@@ -1553,6 +1584,19 @@ int cam_flash_pmic_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg) 
		case CAMERA_SENSOR_FLASH_CMD_TYPE_RER: {

			rc = 0;

			flash_rer_info = (struct cam_flash_set_rer *)cmd_buf;

			if (!flash_rer_info) {

				CAM_ERR(CAM_FLASH,

					"flash_rer_info Null");

				rc = -EINVAL;

				goto rel_cmd_buf;

			}

			if (flash_rer_info->count >

				CAM_FLASH_MAX_LED_TRIGGERS) {

				CAM_ERR(CAM_FLASH, "led count out of limit");

				rc = -EINVAL;

				goto rel_cmd_buf;

			}



			fctrl->nrt_info.cmn_attr.cmd_type =

				CAMERA_SENSOR_FLASH_CMD_TYPE_RER;

			fctrl->nrt_info.opcode = flash_rer_info->opcode;