Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9ec9f23a authored by Rashi Bindra's avatar Rashi Bindra Committed by Gerrit - the friendly Code Review server
Browse files

msm: mdss: Fix for wrong length in copy_to_user 



The caller could have a small buf passed (less then < blen).
Since, the length of count and blen is not checked, it can
write beyond the end of buf.

Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb
Signed-off-by: default avatarRashi Bindra <rbindra@codeaurora.org>
parent c24ebdd6

drivers/video/msm/mdss/mdss_dsi.c

+1 −1
Original line number Diff line number Diff line
@@ -745,7 +745,7 @@ static ssize_t mdss_dsi_cmd_state_read(struct file *file, char __user *buf, 
	if (blen < 0)

		return 0;



	if (copy_to_user(buf, buffer, blen))

	if (copy_to_user(buf, buffer, min(count, (size_t)blen+1)))

		return -EFAULT;



	*ppos += blen;