Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ee85c0d2 authored by Suprith Malligere Shankaregowda's avatar Suprith Malligere Shankaregowda Committed by Gerrit - the friendly Code Review server
Browse files

msm: ais: Fix out-of-bounds read in string class name 



jpeg driver is calling class_create with stack variable, which
can be overwritten by other stack variables.

Change-Id: I4cdae4b9fcf6bd59c8f3ccc6d64a66f7866b7876
Signed-off-by: default avatarSuprith Malligere Shankaregowda <supgow@codeaurora.org>
parent 20530c1e

drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c

+3 −2
Original line number Diff line number Diff line 
/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -32,6 +32,8 @@ 
#define MSM_JPEG_NAME "jpeg"

#define DEV_NAME_LEN 10



static char devname[DEV_NAME_LEN];



static int msm_jpeg_open(struct inode *inode, struct file *filp)

{

	int rc = 0;
@@ -185,7 +187,6 @@ static int msm_jpeg_init_dev(struct platform_device *pdev) 
	struct msm_jpeg_device *msm_jpeg_device_p;

	const struct of_device_id *device_id;

	const struct msm_jpeg_priv_data *priv_data;

	char devname[DEV_NAME_LEN];



	msm_jpeg_device_p = kzalloc(sizeof(struct msm_jpeg_device), GFP_ATOMIC);

	if (!msm_jpeg_device_p) {