Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 130f5eae authored by Trishansh Bhardwaj's avatar Trishansh Bhardwaj Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: Fix out-of-bounds read in string class name. 



jpeg driver is calling class_create with stack variable, which
can be overwritten by other stack variables.

Change-Id: I3c22a5b3375b970ff6b1c6de983dd5833f4e11d0
Signed-off-by: default avatarTrishansh Bhardwaj <tbhardwa@codeaurora.org>
parent fab1b6d5

drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c

+2 −1
Original line number Diff line number Diff line
@@ -32,6 +32,8 @@ 
#define MSM_JPEG_NAME "jpeg"

#define DEV_NAME_LEN 10



static char devname[DEV_NAME_LEN];



static int msm_jpeg_open(struct inode *inode, struct file *filp)

{

	int rc = 0;
@@ -185,7 +187,6 @@ static int msm_jpeg_init_dev(struct platform_device *pdev) 
	struct msm_jpeg_device *msm_jpeg_device_p;

	const struct of_device_id *device_id;

	const struct msm_jpeg_priv_data *priv_data;

	char devname[DEV_NAME_LEN];



	msm_jpeg_device_p = kzalloc(sizeof(struct msm_jpeg_device), GFP_ATOMIC);

	if (!msm_jpeg_device_p) {