power: qcom-charger: fix possible out of bounds access for GEN3 FG driver (5a3dc172) · Commits · e / devices / android_kernel_sony_msm8998

drivers/power/qcom-charger/fg-util.c

+5 −5

Original line number	Original line	Diff line number	Diff line
	@@ -384,7 +384,7 @@ static int print_to_log(struct fg_log_buffer log, const char fmt, ...)
	static int write_next_line_to_log(struct fg_trans *trans, int offset,		static int write_next_line_to_log(struct fg_trans *trans, int offset,
	size_t *pcnt)		size_t *pcnt)
	{		{
	int i, j;		int i;
	u8 data[ITEMS_PER_LINE];		u8 data[ITEMS_PER_LINE];
	u16 address;		u16 address;
	struct fg_log_buffer *log = trans->log;		struct fg_log_buffer *log = trans->log;
	@@ -397,7 +397,6 @@ static int write_next_line_to_log(struct fg_trans *trans, int offset,
	goto done;		goto done;

	memcpy(data, trans->data + (offset - trans->addr), items_to_read);		memcpy(data, trans->data + (offset - trans->addr), items_to_read);

	*pcnt -= items_to_read;		*pcnt -= items_to_read;

	/* address is in word now and it increments by 1. */		/* address is in word now and it increments by 1. */
	@@ -407,8 +406,8 @@ static int write_next_line_to_log(struct fg_trans *trans, int offset,
	goto done;		goto done;

	/* Log the data items */		/* Log the data items */
	for (j = 0; i < items_to_log; ++i, ++j) {		for (i = 0; i < items_to_log; ++i) {
	cnt = print_to_log(log, "%2.2X ", data[j]);		cnt = print_to_log(log, "%2.2X ", data[i]);
	if (cnt == 0)		if (cnt == 0)
	goto done;		goto done;
	}		}
	@@ -552,7 +551,8 @@ static ssize_t fg_sram_dfs_reg_write(struct file file, const char __user buf,
	values = kbuf;		values = kbuf;

	/* Parse the data in the buffer. It should be a string of numbers */		/* Parse the data in the buffer. It should be a string of numbers */
	while (sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {		while ((pos < count) &&
			sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {
	pos += bytes_read;		pos += bytes_read;
	values[cnt++] = data & 0xff;		values[cnt++] = data & 0xff;
	}		}