Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3303adcb authored by Samyukta Mogily's avatar Samyukta Mogily Committed by Gerrit - the friendly Code Review server
Browse files

msm: sensor: Fix for variable being de-referenced without proper check 



Pointer from userspace is de-referenced before the command is checked.
This might cause a crash if the command being sent is not a valid command.
Hence changing the de-reference such that the pointer is accessed after
checking if a valid command is sent from the userspace.

Change-Id: I731a015c952d131187a47a8d346fb6478fddeeb1
Signed-off-by: default avatarSamyukta Mogily <smogily@codeaurora.org>
parent 229a28ac

drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c

+6 −6
Original line number Diff line number Diff line 
/* Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.

/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -1021,13 +1021,13 @@ static long msm_flash_subdev_do_ioctl( 
	sd = vdev_to_v4l2_subdev(vdev);

	u32 = (struct msm_flash_cfg_data_t32 *)arg;



	switch (cmd) {

	case VIDIOC_MSM_FLASH_CFG32:

		flash_data.cfg_type = u32->cfg_type;

		for (i = 0; i < MAX_LED_TRIGGERS; i++) {

			flash_data.flash_current[i] = u32->flash_current[i];

			flash_data.flash_duration[i] = u32->flash_duration[i];

		}

	switch (cmd) {

	case VIDIOC_MSM_FLASH_CFG32:

		cmd = VIDIOC_MSM_FLASH_CFG;

		switch (flash_data.cfg_type) {

		case CFG_FLASH_OFF:

drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c

+1 −3
Original line number Diff line number Diff line
@@ -774,11 +774,10 @@ static long msm_ois_subdev_do_ioctl( 
	u32 = (struct msm_ois_cfg_data32 *)arg;

	parg = arg;



	ois_data.cfgtype = u32->cfgtype;



	switch (cmd) {

	case VIDIOC_MSM_OIS_CFG32:

		cmd = VIDIOC_MSM_OIS_CFG;

		ois_data.cfgtype = u32->cfgtype;



		switch (u32->cfgtype) {

		case CFG_OIS_CONTROL:
@@ -812,7 +811,6 @@ static long msm_ois_subdev_do_ioctl( 
			settings.reg_setting =

				compat_ptr(settings32.reg_setting);



			ois_data.cfgtype = u32->cfgtype;

			ois_data.cfg.settings = &settings;

			parg = &ois_data;

			break;