diff options
author | Linux Build Service Account <lnxbuild@localhost> | 2019-07-23 00:58:47 -0700 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-07-23 00:58:47 -0700 |
commit | cc5535de7dca1c3326d6fca0ec9c78d975b114f1 (patch) | |
tree | 39abdb9b831fcb3d1a8a0c4d679c351581c09af5 | |
parent | 3d807a1fbb68c4a5adc8559044554bb0bba356bb (diff) | |
parent | 85c8794ffffea0bf3498bd1e7c1e53cb66bb9151 (diff) |
Merge "msm: camera: eeprom: Fix OOB condition for memory map count"LA.UM.7.9.r1-07800-sm6150.0
-rw-r--r-- | drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c b/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c index 57aa7955a6db..c74be4cf4e45 100644 --- a/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c +++ b/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c @@ -439,7 +439,8 @@ static int32_t cam_eeprom_parse_memory_map( validate_size = sizeof(struct cam_cmd_unconditional_wait); if (remain_buf_len < validate_size || - *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) { + *num_map >= (MSM_EEPROM_MAX_MEM_MAP_CNT * + MSM_EEPROM_MEMORY_MAP_MAX_SIZE)) { CAM_ERR(CAM_EEPROM, "not enough buffer"); return -EINVAL; } @@ -449,7 +450,9 @@ static int32_t cam_eeprom_parse_memory_map( if (i2c_random_wr->header.count == 0 || i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT || - (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) { + (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT * + MSM_EEPROM_MEMORY_MAP_MAX_SIZE) - + i2c_random_wr->header.count)) { CAM_ERR(CAM_EEPROM, "OOB Error"); return -EINVAL; } |