aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorE V Ravi <evenka@codeaurora.org>2019-07-19 12:13:04 +0530
committerGerrit - the friendly Code Review server <code-review@localhost>2019-08-06 02:52:00 -0700
commit93a7ada205dbc394deefcc78777d44b21aaa50eb (patch)
treeabcc2846e3ea0a84ea028f5df86a5636ab9fce13
parente061bd441317313a36dae52f4bf659cb93f6cedb (diff)
msm: ais: eeprom: Fix OOB condition for memory map countLE.UM.4.1.1-01310-sa515mLE.UM.4.1.1-01210-sa515m
Fix OOB check for memory map count to access correct memory map. Change-Id: I55fb4ecbca36d47ebde80a912e621fb030f187a0 Signed-off-by: E V Ravi <evenka@codeaurora.org>
Diffstat
-rw-r--r--drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c b/drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
index 209daa2064d9..3683fc73501b 100644
--- a/drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
+++ b/drivers/media/platform/msm/ais/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
@@ -439,7 +439,8 @@ static int32_t cam_eeprom_parse_memory_map(
validate_size = sizeof(struct cam_cmd_unconditional_wait);
if (remain_buf_len < validate_size ||
- *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) {
+ *num_map >= (MSM_EEPROM_MAX_MEM_MAP_CNT *
+ MSM_EEPROM_MEMORY_MAP_MAX_SIZE)) {
CAM_ERR(CAM_EEPROM, "not enough buffer");
return -EINVAL;
}
@@ -449,7 +450,9 @@ static int32_t cam_eeprom_parse_memory_map(
if (i2c_random_wr->header.count == 0 ||
i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||
- (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) {
+ (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT *
+ MSM_EEPROM_MEMORY_MAP_MAX_SIZE) -
+ i2c_random_wr->header.count)) {
CAM_ERR(CAM_EEPROM, "OOB Error");
return -EINVAL;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-21 05:09:44 +0000