msm: mdss: fix possible overflow errors in panel_debug_base_reg_read (66221ce8) · Commits · e / devices / android_kernel_sony_msm8998

The panel_reg_buf is a dynamically allocated buffer of size reg_buf_len so checking sizeof(panel_reg_buf) is incorrect. Using scnprintf will ensure that len is at most reg_buf_len - 1 after all the prints. This allows sanity checks to be removed which were incorrectly skipping clock disable, resulting in an extra clock reference count. Change-Id: Ic3bb685c7b83eefef7bc207ad93d6a2a9e36fd33 Signed-off-by:

Patrick Auchter <auchter@motorola.com> Signed-off-by:

Veera Sundaram Sankaran <veeras@codeaurora.org> (cherry picked from commit 89bede0751357bc24701b8ebfe326d3e6bb46683)

drivers/video/fbdev/msm/mdss_debug.c

+4 −8

Original line number	Diff line number	Diff line
		@@ -244,23 +244,19 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
		mdss_dsi_panel_cmd_read(ctrl_pdata, panel_reg[0], panel_reg[1],
		NULL, rx_buf, dbg->cnt);

		len = snprintf(panel_reg_buf, reg_buf_len, "0x%02zx: ", dbg->off);
		if (len < 0)
		goto read_reg_fail;
		len = scnprintf(panel_reg_buf, reg_buf_len, "0x%02zx: ", dbg->off);

		for (i = 0; (len < reg_buf_len) && (i < ctrl_pdata->rx_len); i++)
		len += scnprintf(panel_reg_buf + len, reg_buf_len - len,
		"0x%02x ", rx_buf[i]);

		if (len)
		panel_reg_buf[len - 1] = '\n';

		if (mdata->debug_inf.debug_enable_clock)
		mdata->debug_inf.debug_enable_clock(0);

		if (len < 0 \|\| len >= sizeof(panel_reg_buf))
		return 0;

		if ((count < sizeof(panel_reg_buf))
		if ((count < reg_buf_len)
		\|\| (copy_to_user(user_buf, panel_reg_buf, len)))
		goto read_reg_fail;