Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f1e53227 authored by Sureshnaidu Laveti's avatar Sureshnaidu Laveti Committed by Gerrit - the friendly Code Review server
Browse files

msm: sensor: validate the i2c table index before use 



Verifying the i2c table index value before accessing
the i2c table to avoid memory corruption issues.

CRs-Fixed: 1065916
Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
Signed-off-by: default avatarSureshnaidu Laveti <lsuresh@codeaurora.org>
parent 626caf4e

drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c

+9 −5
Original line number Diff line number Diff line
@@ -101,11 +101,6 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl, 
	i2c_tbl = a_ctrl->i2c_reg_tbl;



	for (i = 0; i < size; i++) {

		/* check that the index into i2c_tbl cannot grow larger that

		the allocated size of i2c_tbl */

		if ((a_ctrl->total_steps + 1) < (a_ctrl->i2c_tbl_index))

			break;



		if (write_arr[i].reg_write_type == MSM_ACTUATOR_WRITE_DAC) {

			value = (next_lens_position <<

				write_arr[i].data_shift) |
@@ -119,6 +114,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl, 
					i2c_byte2 = value & 0xFF;

					CDBG("byte1:0x%x, byte2:0x%x\n",

						i2c_byte1, i2c_byte2);

					if (a_ctrl->i2c_tbl_index >

						a_ctrl->total_steps) {

						pr_err("failed:i2c table index out of bound\n");

						break;

					}

					i2c_tbl[a_ctrl->i2c_tbl_index].

						reg_addr = i2c_byte1;

					i2c_tbl[a_ctrl->i2c_tbl_index].
@@ -139,6 +139,10 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl, 
			i2c_byte2 = (hw_dword & write_arr[i].hw_mask) >>

				write_arr[i].hw_shift;

		}

		if (a_ctrl->i2c_tbl_index > a_ctrl->total_steps) {

			pr_err("failed: i2c table index out of bound\n");

			break;

		}

		CDBG("i2c_byte1:0x%x, i2c_byte2:0x%x\n", i2c_byte1, i2c_byte2);

		i2c_tbl[a_ctrl->i2c_tbl_index].reg_addr = i2c_byte1;

		i2c_tbl[a_ctrl->i2c_tbl_index].reg_data = i2c_byte2;