Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

This project is archived. Its data is read-only.

Commit 6467925a authored Jul 11, 2017 by Samyukta Mogily

msm: sensor: Fix for variable being de-referenced without proper check

Pointer from userspace is de-referenced before the command is checked.
This might cause a crash if the command being sent is not a valid command.
Hence changing the de-reference such that the pointer is accessed after
checking if a valid command is sent from the userspace.

Change-Id: I8db9382dd184f1564176ab45355954dcde8a3ab3
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>

parent 1ccca473

drivers/media/platform/msm/ais/sensor/flash/msm_flash.c

+5 −5

Original line number	Diff line number	Diff line
		@@ -1022,13 +1022,13 @@ static long msm_flash_subdev_do_ioctl(
		sd = vdev_to_v4l2_subdev(vdev);
		u32 = (struct msm_flash_cfg_data_t32 *)arg;

		switch (cmd) {
		case VIDIOC_MSM_FLASH_CFG32:
		flash_data.cfg_type = u32->cfg_type;
		for (i = 0; i < MAX_LED_TRIGGERS; i++) {
		flash_data.flash_current[i] = u32->flash_current[i];
		flash_data.flash_duration[i] = u32->flash_duration[i];
		}
		switch (cmd) {
		case VIDIOC_MSM_FLASH_CFG32:
		cmd = VIDIOC_MSM_FLASH_CFG;
		switch (flash_data.cfg_type) {
		case CFG_FLASH_OFF:

drivers/media/platform/msm/ais/sensor/ois/msm_ois.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -781,11 +781,10 @@ static long msm_ois_subdev_do_ioctl(
		u32 = (struct msm_ois_cfg_data32 *)arg;
		parg = arg;

		ois_data.cfgtype = u32->cfgtype;

		switch (cmd) {
		case VIDIOC_MSM_OIS_CFG32:
		cmd = VIDIOC_MSM_OIS_CFG;
		ois_data.cfgtype = u32->cfgtype;

		switch (u32->cfgtype) {
		case CFG_OIS_CONTROL: