diff options
author | Manish Poddar <mpoddar@codeaurora.org> | 2016-07-07 17:22:06 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-07-20 22:50:49 -0700 |
commit | 80eb335deb4bef61cd7d544e3fb4690086551580 (patch) | |
tree | 8a8dc0f1152ac6822388a84e8c6ac749d16250b8 /drivers/media | |
parent | 9e4b3ba4afcff08bce320513610955391ab95806 (diff) |
msm: Camera buffer overflow fix
find_first_zero bit is considering addr parameter as unsigned
long and we are passing int variable.In the function it access
addr[i], so it tries to access 8 bytes , actual size of
open_idx and stream_id are 4 bytes.we change open_idx and
stream_id to long to fix it.
Change-Id: I510059cc8f495957bd2b5af9973b3495761edd06
Signed-off-by: Manish Poddar <mpoddar@codeaurora.org>
Diffstat (limited to 'drivers/media')
-rw-r--r-- | drivers/media/platform/msm/camera_v2/camera/camera.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/platform/msm/camera_v2/camera/camera.c b/drivers/media/platform/msm/camera_v2/camera/camera.c index c1aeb8c43e81..3985df780216 100644 --- a/drivers/media/platform/msm/camera_v2/camera/camera.c +++ b/drivers/media/platform/msm/camera_v2/camera/camera.c @@ -538,7 +538,7 @@ static int camera_v4l2_fh_open(struct file *filep) { struct msm_video_device *pvdev = video_drvdata(filep); struct camera_v4l2_private *sp; - unsigned int stream_id; + unsigned long stream_id; sp = kzalloc(sizeof(*sp), GFP_KERNEL); if (!sp) { @@ -617,7 +617,7 @@ static int camera_v4l2_open(struct file *filep) int rc = 0; struct v4l2_event event; struct msm_video_device *pvdev = video_drvdata(filep); - unsigned int opn_idx, idx; + unsigned long opn_idx, idx; BUG_ON(!pvdev); rc = camera_v4l2_fh_open(filep); |