diff options
| author | Rajesh Bondugula <rajeshb@codeaurora.org> | 2016-04-13 14:31:58 -0700 |
|---|---|---|
| committer | Jeevan Shriram <jshriram@codeaurora.org> | 2016-05-06 12:06:18 -0700 |
| commit | fdb31c94336724f9b2566ce41d06bfebf8dfb84f (patch) | |
| tree | f41348dc748994915b78f0b58023c10e49e97ee4 | |
| parent | 058e654f8b6fad89032ca91bf6f11a642c6a27f7 (diff) | |
msm: camera: sensor: Validate step_boundary
step_boundary can take values upto the total_steps
Validate the step_boundary before consuming it.
Convert the type of step_index and region_index to uint16_t
step_index and region_index cannot be negative.
CRs-Fixed: 1001092
Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c | 35 |
1 files changed, 29 insertions, 6 deletions
diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c index 0ad3d9a51f20..368a3ad1c95f 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c +++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c @@ -853,7 +853,7 @@ static int32_t msm_actuator_bivcm_init_step_table( { int16_t code_per_step = 0; int16_t cur_code = 0; - int16_t step_index = 0, region_index = 0; + uint16_t step_index = 0, region_index = 0; uint16_t step_boundary = 0; uint32_t max_code_size = 1; uint16_t data_size = set_info->actuator_params.data_size; @@ -894,6 +894,15 @@ static int32_t msm_actuator_bivcm_init_step_table( step_boundary = a_ctrl->region_params[region_index]. step_bound[MOVE_NEAR]; + if (step_boundary > + set_info->af_tuning_params.total_steps) { + pr_err("invalid step_boundary = %d, max_val = %d", + step_boundary, + set_info->af_tuning_params.total_steps); + kfree(a_ctrl->step_position_table); + a_ctrl->step_position_table = NULL; + return -EINVAL; + } qvalue = a_ctrl->region_params[region_index].qvalue; for (; step_index <= step_boundary; step_index++) { @@ -929,20 +938,25 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl, int16_t code_per_step = 0; uint32_t qvalue = 0; int16_t cur_code = 0; - int16_t step_index = 0, region_index = 0; + uint16_t step_index = 0, region_index = 0; uint16_t step_boundary = 0; uint32_t max_code_size = 1; uint16_t data_size = set_info->actuator_params.data_size; CDBG("Enter\n"); + /* validate the actuator state */ + if (a_ctrl->actuator_state != ACT_OPS_ACTIVE) { + pr_err("%s:%d invalid actuator_state %d\n" + , __func__, __LINE__, a_ctrl->actuator_state); + return -EINVAL; + } for (; data_size > 0; data_size--) max_code_size *= 2; a_ctrl->max_code_size = max_code_size; - if ((a_ctrl->actuator_state == ACT_OPS_ACTIVE) && - (a_ctrl->step_position_table != NULL)) { - kfree(a_ctrl->step_position_table); - } + + /* free the step_position_table to allocate a new one */ + kfree(a_ctrl->step_position_table); a_ctrl->step_position_table = NULL; if (set_info->af_tuning_params.total_steps @@ -971,6 +985,15 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl, step_boundary = a_ctrl->region_params[region_index]. step_bound[MOVE_NEAR]; + if (step_boundary > + set_info->af_tuning_params.total_steps) { + pr_err("invalid step_boundary = %d, max_val = %d", + step_boundary, + set_info->af_tuning_params.total_steps); + kfree(a_ctrl->step_position_table); + a_ctrl->step_position_table = NULL; + return -EINVAL; + } for (; step_index <= step_boundary; step_index++) { if (qvalue > 1 && qvalue <= MAX_QVALUE) |