diff options
author | MichaĆ Orynicz <michal.orynicz@sonymobile.com> | 2016-10-21 15:52:29 +0200 |
---|---|---|
committer | Alain Vongsouvanh <alainv@google.com> | 2016-11-03 15:39:47 +0000 |
commit | 0ecf64d2b0edf65e5f1dd08f1f214534bc485143 (patch) | |
tree | ffa76d0fb4a83d9df3a0543dfb1dfe7ff2b08011 | |
parent | b133f1debf5abe4cce2ea4ca97ee3f3ba2e03f87 (diff) | |
download | bcm-0ecf64d2b0edf65e5f1dd08f1f214534bc485143.tar.gz |
Prevent potential heap overflow in fwu_sysfs_store_image
In the fwu_sysfs_store_image function, there is no validation
of the count variable leading to a potential heap overflow.
Add additional bounds checks to prevent the potential heap overflow.
This commit combines snippets ANDROID-30799828 and
ANDROID-30937462
Change-Id: I14d60ce39ecc724a8fee1b8373da940d788b18cd
-rw-r--r-- | drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c | 7 | ||||
-rw-r--r-- | drivers/input/touchscreen/synaptics_fw_update.c | 8 |
2 files changed, 15 insertions, 0 deletions
diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c index 91b8c1265e8..3bfa6f31066 100644 --- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c +++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c @@ -1545,6 +1545,13 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file, struct kobject *kobj, struct bin_attribute *attributes, char *buf, loff_t pos, size_t count) { + if (count > (fwu->image_size - fwu->data_pos)) { + dev_err(fwu->rmi4_data->pdev->dev.parent, + "%s: Not enough space in buffer\n", + __func__); + return -EINVAL; + } + memcpy((void *)(&fwu->ext_data_source[fwu->data_pos]), (const void *)buf, count); diff --git a/drivers/input/touchscreen/synaptics_fw_update.c b/drivers/input/touchscreen/synaptics_fw_update.c index bfbf9d488c9..3a1c89f567d 100644 --- a/drivers/input/touchscreen/synaptics_fw_update.c +++ b/drivers/input/touchscreen/synaptics_fw_update.c @@ -1621,6 +1621,14 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file, struct kobject *kobj, struct bin_attribute *attributes, char *buf, loff_t pos, size_t count) { + + if (count > fwu->image_size - fwu->data_pos) { + dev_err(&fwu->rmi4_data->i2c_client->dev, + "%s: Not enough space in buffer\n", + __func__); + return -EINVAL; + } + memcpy((void *)(&fwu->ext_data_source[fwu->data_pos]), (const void *)buf, count); |