msm: camera: eeprom: Fix OOB condition for memory map count
Fix OOB check for memory map count to access correct memory map.
Bug: 140423451
Test: Build Pass, Camera CTS test, camera basic function test
Change-Id: Ifa3d323103725e4df57e86295bb7567835654b71
Signed-off-by: Jigarkumar Zala <jzala@codeaurora.org>
Signed-off-by: Sridhar Gujje <sgujje@codeaurora.org>
Signed-off-by: horngchuang <horngchuang@google.com>
diff --git a/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c b/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
index 7a5216f..709adea 100644
--- a/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
+++ b/drivers/media/platform/msm/camera/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
@@ -442,7 +442,8 @@
validate_size = sizeof(struct cam_cmd_unconditional_wait);
if (remain_buf_len < validate_size ||
- *num_map >= MSM_EEPROM_MAX_MEM_MAP_CNT) {
+ *num_map >= (MSM_EEPROM_MAX_MEM_MAP_CNT *
+ MSM_EEPROM_MEMORY_MAP_MAX_SIZE)) {
CAM_ERR(CAM_EEPROM, "not enough buffer");
return -EINVAL;
}
@@ -452,7 +453,9 @@
if (i2c_random_wr->header.count == 0 ||
i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||
- (size_t)*num_map > U16_MAX - i2c_random_wr->header.count) {
+ (size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT *
+ MSM_EEPROM_MEMORY_MAP_MAX_SIZE) -
+ i2c_random_wr->header.count)) {
CAM_ERR(CAM_EEPROM, "OOB Error");
return -EINVAL;
}