[media] marvell-ccic: check register address

author Hans Verkuil <hans.verkuil@cisco.com>

Wed, 29 May 2013 10:00:02 +0000 (07:00 -0300)

committer Mauro Carvalho Chehab <mchehab@redhat.com>

Mon, 17 Jun 2013 11:54:44 +0000 (08:54 -0300)
author Hans Verkuil <hans.verkuil@cisco.com>
Wed, 29 May 2013 10:00:02 +0000 (07:00 -0300)
committer Mauro Carvalho Chehab <mchehab@redhat.com>
Mon, 17 Jun 2013 11:54:44 +0000 (08:54 -0300)
diff --git a/drivers/media/platform/marvell-ccic/cafe-driver.c b/drivers/media/platform/marvell-ccic/cafe-driver.c

index 7b07fc5..1f079ff 100644 (file)
--- a/drivers/media/platform/marvell-ccic/cafe-driver.c
+++ b/drivers/media/platform/marvell-ccic/cafe-driver.c
@@ -500,6 +500,7 @@ static int cafe_pci_probe(struct pci_dev *pdev,
                 printk(KERN_ERR "Unable to ioremap cafe-ccic regs\n");
                 goto out_disable;
         }
+       mcam->regs_size = pci_resource_len(pdev, 0);
         ret = request_irq(pdev->irq, cafe_irq, IRQF_SHARED, "cafe-ccic", cam);
         if (ret)
                 goto out_iounmap;
diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c

index a187161..c69cfc4 100644 (file)
--- a/drivers/media/platform/marvell-ccic/mcam-core.c
+++ b/drivers/media/platform/marvell-ccic/mcam-core.c
@@ -1404,6 +1404,8 @@ static int mcam_vidioc_g_register(struct file *file, void *priv,
  {
         struct mcam_camera *cam = priv;
  
+       if (reg->reg > cam->regs_size - 4)
+               return -EINVAL;
         reg->val = mcam_reg_read(cam, reg->reg);
         reg->size = 4;
         return 0;
@@ -1414,6 +1416,8 @@ static int mcam_vidioc_s_register(struct file *file, void *priv,
  {
         struct mcam_camera *cam = priv;
  
+       if (reg->reg > cam->regs_size - 4)
+               return -EINVAL;
         mcam_reg_write(cam, reg->reg, reg->val);
         return 0;
  }
diff --git a/drivers/media/platform/marvell-ccic/mcam-core.h b/drivers/media/platform/marvell-ccic/mcam-core.h

index 46b6ea3..520c8de 100644 (file)
--- a/drivers/media/platform/marvell-ccic/mcam-core.h
+++ b/drivers/media/platform/marvell-ccic/mcam-core.h
@@ -101,6 +101,7 @@ struct mcam_camera {
          */
         struct i2c_adapter *i2c_adapter;
         unsigned char __iomem *regs;
+       unsigned regs_size; /* size in bytes of the register space */
         spinlock_t dev_lock;
         struct device *dev; /* For messages, dma alloc */
         enum mcam_chip_id chip_id;
diff --git a/drivers/media/platform/marvell-ccic/mmp-driver.c b/drivers/media/platform/marvell-ccic/mmp-driver.c

index cadad64..a634888 100644 (file)
--- a/drivers/media/platform/marvell-ccic/mmp-driver.c
+++ b/drivers/media/platform/marvell-ccic/mmp-driver.c
@@ -202,6 +202,7 @@ static int mmpcam_probe(struct platform_device *pdev)
                 ret = -ENODEV;
                 goto out_free;
         }
+       mcam->regs_size = resource_size(res);
         /*
          * Power/clock memory is elsewhere; get it too.  Perhaps this
          * should really be managed outside of this driver?
author	Hans Verkuil <hans.verkuil@cisco.com>
	Wed, 29 May 2013 10:00:02 +0000 (07:00 -0300)
committer	Mauro Carvalho Chehab <mchehab@redhat.com>
	Mon, 17 Jun 2013 11:54:44 +0000 (08:54 -0300)
drivers/media/platform/marvell-ccic/cafe-driver.c		patch \| blob \| history
drivers/media/platform/marvell-ccic/mcam-core.c		patch \| blob \| history
drivers/media/platform/marvell-ccic/mcam-core.h		patch \| blob \| history
drivers/media/platform/marvell-ccic/mmp-driver.c		patch \| blob \| history