touchscreen: focaltech: fix coverity warning

PD#172715: touchscreen: focaltech: fix coverity warning

In the "copy_from_user" function does not ensure that
the string "writebuf" ends with a null character.So that
need to add a null character at the end.
This causes "String not null terminated".

Change-Id: I4cc0736ec06652226f39dd5dcde3dc7406639b89
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>

diff --git a/drivers/amlogic/input/touchscreen/focaltech_touch/focaltech_ex_fun.c b/drivers/amlogic/input/touchscreen/focaltech_touch/focaltech_ex_fun.c
old mode 100755 (executable)
new mode 100644 (file)
index 3c4e9cf..6af5c94
--- a/drivers/amlogic/input/touchscreen/focaltech_touch/focaltech_ex_fun.c
+++ b/drivers/amlogic/input/touchscreen/focaltech_touch/focaltech_ex_fun.c
@@ -130,16 +130,18 @@ static void esd_process(u8 *writebuf, int buflen, bool flag)
 static ssize_t fts_debug_write(struct file *filp, const char __user *buff, size_t count, loff_t *ppos)
 {
     unsigned char writebuf[WRITE_BUF_SIZE];
-    int buflen = count;
+    int buflen = 0;
     int writelen = 0;
     int ret = 0;
     char tmp[25];
 
+    buflen = count < WRITE_BUF_SIZE ? count : WRITE_BUF_SIZE - 1;
     if (copy_from_user(&writebuf, buff, buflen))
     {
         FTS_DEBUG("[APK]: copy from user error!!");
         return -EFAULT;
     }
+    writebuf[buflen] = '\0';
 #if FTS_ESDCHECK_EN
     esd_process(writebuf, buflen, 1);
 #endif
@@ -151,6 +153,7 @@ static ssize_t fts_debug_write(struct file *filp, const char __user *buff, size_
             char upgrade_file_path[FILE_NAME_LENGTH];
             memset(upgrade_file_path, 0, sizeof(upgrade_file_path));
             sprintf(upgrade_file_path, "%s", writebuf + 1);
+            buflen = count < FILE_NAME_LENGTH ? count : FILE_NAME_LENGTH - 1;
             upgrade_file_path[buflen-1] = '\0';
             FTS_DEBUG("%s\n", upgrade_file_path);
             fts_irq_disable();
@@ -214,6 +217,7 @@ static ssize_t fts_debug_write(struct file *filp, const char __user *buff, size_
         case PROC_HW_RESET:
 
             sprintf(tmp, "%s", writebuf + 1);
+            buflen = count < 25 ? count : 25 - 1;
             tmp[buflen - 1] = '\0';
             if (strncmp(tmp,"focal_driver",12)==0)
             {