From 155b6d873a0c247112fa0160b1d84735d10196e3 Mon Sep 17 00:00:00 2001 From: Patrick Delaunay Date: Thu, 10 Sep 2020 18:18:16 +0200 Subject: [PATCH] power: regulator: gpio-regulator: protect count value Update the size of states_array to avoid overflow for dev_pdata->voltages[j] and dev_pdata->states[j]. As the size of array is GPIO_REGULATOR_MAX_STATES, the size of states_array is limited by GPIO_REGULATOR_MAX_STATES * 2 = 4 instead of 8 previously. The value of the "count" variable is limited by the third parameter of fdtdec_get_int_array_count. Signed-off-by: Patrick Delaunay Reviewed-by: Simon Glass --- drivers/power/regulator/gpio-regulator.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/power/regulator/gpio-regulator.c b/drivers/power/regulator/gpio-regulator.c index 947f812d09..017a3644fe 100644 --- a/drivers/power/regulator/gpio-regulator.c +++ b/drivers/power/regulator/gpio-regulator.c @@ -35,7 +35,7 @@ static int gpio_regulator_ofdata_to_platdata(struct udevice *dev) const void *blob = gd->fdt_blob; int node = dev_of_offset(dev); int ret, count, i, j; - u32 states_array[8]; + u32 states_array[GPIO_REGULATOR_MAX_STATES * 2]; dev_pdata = dev_get_platdata(dev); uc_pdata = dev_get_uclass_platdata(dev); @@ -58,7 +58,8 @@ static int gpio_regulator_ofdata_to_platdata(struct udevice *dev) debug("regulator gpio - not found! Error: %d", ret); count = fdtdec_get_int_array_count(blob, node, "states", - states_array, 8); + states_array, + ARRAY_SIZE(states_array)); if (!count) return -EINVAL; -- 2.39.5