msm: camera: Fix memory read by adding bounds check (f769fe92) · Commits · e / devices / android_kernel_sony_msm8994

drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -1104,13 +1104,15 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
		int i;
		uint32_t hi_tbl_ptr = NULL, lo_tbl_ptr = NULL;
		uint32_t hi_val, lo_val, lo_val1;
		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT \|\|
		reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
		hi_tbl_ptr = cfg_data +
		reg_cfg_cmd->u.dmi_info.hi_tbl_offset/4;
		}
		lo_tbl_ptr = cfg_data +
		reg_cfg_cmd->u.dmi_info.lo_tbl_offset/4;
		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT)
		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT \|\|
		reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT)
		reg_cfg_cmd->u.dmi_info.len =
		reg_cfg_cmd->u.dmi_info.len / 2;
		for (i = 0; i < reg_cfg_cmd->u.dmi_info.len/4; i++) {