diff options
author | E V Ravi <evenka@codeaurora.org> | 2019-07-19 12:13:04 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-08-06 02:52:00 -0700 |
commit | 93a7ada205dbc394deefcc78777d44b21aaa50eb (patch) | |
tree | abcc2846e3ea0a84ea028f5df86a5636ab9fce13 | |
parent | e061bd441317313a36dae52f4bf659cb93f6cedb (diff) |
msm: ais: eeprom: Fix OOB condition for memory map countLE.UM.4.1.1-01310-sa515mLE.UM.4.1.1-01210-sa515m
Fix OOB check for memory map count to access correct memory map.
Change-Id: I55fb4ecbca36d47ebde80a912e621fb030f187a0
Signed-off-by: E V Ravi <evenka@codeaurora.org>
-rw-r--r-- | drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c b/drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c index 209daa2064d9..3683fc73501b 100644 --- a/drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c +++ b/drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c @@ -439,7 +439,8 @@ static int32_t cam_eeprom_parse_memory_map( validate_size = sizeof(struct cam_cmd_unconditional_wait); if (remain_buf_len < validate_size || - *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) { + *num_map >= (MSM_EEPROM_MAX_MEM_MAP_CNT * + MSM_EEPROM_MEMORY_MAP_MAX_SIZE)) { CAM_ERR(CAM_EEPROM, "not enough buffer"); return -EINVAL; } @@ -449,7 +450,9 @@ static int32_t cam_eeprom_parse_memory_map( if (i2c_random_wr->header.count == 0 || i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT || - (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) { + (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT * + MSM_EEPROM_MEMORY_MAP_MAX_SIZE) - + i2c_random_wr->header.count)) { CAM_ERR(CAM_EEPROM, "OOB Error"); return -EINVAL; } |