Merge "msm: camera: eeprom: Fix OOB condition for memory map count"LA.UM.7.9.r1-07800-sm6150.0

1 files changed, 5 insertions, 2 deletions

diff --git a/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c b/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
index 57aa7955a6db..c74be4cf4e45 100644
--- a/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
+++ b/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
@@ -439,7 +439,8 @@ static int32_t cam_eeprom_parse_memory_map(
 		validate_size = sizeof(struct cam_cmd_unconditional_wait);
 
 	if (remain_buf_len < validate_size ||
-	    *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) {
+	    *num_map >= (MSM_EEPROM_MAX_MEM_MAP_CNT *
+		MSM_EEPROM_MEMORY_MAP_MAX_SIZE)) {
 		CAM_ERR(CAM_EEPROM, "not enough buffer");
 		return -EINVAL;
 	}
@@ -449,7 +450,9 @@ static int32_t cam_eeprom_parse_memory_map(
 
 		if (i2c_random_wr->header.count == 0 ||
 		    i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||
-		    (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) {
+		    (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT *
+				MSM_EEPROM_MEMORY_MAP_MAX_SIZE) -
+				i2c_random_wr->header.count)) {
 			CAM_ERR(CAM_EEPROM, "OOB Error");
 			return -EINVAL;
 		}