diff options
author | Patrick Georgi <pgeorgi@google.com> | 2018-08-02 12:28:56 +0200 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-08-15 16:37:11 -0700 |
commit | fc0f071e171c3eb8904d0eaf2b609a328ce9c7ff (patch) | |
tree | 51a1a61ca33885c838b165ea5bb9551001d04cf3 /driver | |
parent | b7442b335d6b6a8549eb677058ae8f2782a82792 (diff) | |
download | chrome-ec-fc0f071e171c3eb8904d0eaf2b609a328ce9c7ff.tar.gz |
driver/accelgyro_lsm6dsm: prevent negative array access
While it "should" never happen, the fifo_next has some corner cases
where it might return a negative index.
The alternative to this approach is to make sure it never underflows, so
we don't need to guard against that.
Change-Id: I86b4e89598329b7a5039a2bd016fc46230b617ac
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Found-by: Coverity Scan #187061
Reviewed-on: https://chromium-review.googlesource.com/1160302
Commit-Ready: Patrick Georgi <pgeorgi@chromium.org>
Tested-by: Patrick Georgi <pgeorgi@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@google.com>
Diffstat (limited to 'driver')
-rw-r--r-- | driver/accelgyro_lsm6dsm.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/driver/accelgyro_lsm6dsm.c b/driver/accelgyro_lsm6dsm.c index 683b2ed616..29c21618a7 100644 --- a/driver/accelgyro_lsm6dsm.c +++ b/driver/accelgyro_lsm6dsm.c @@ -210,8 +210,19 @@ static void push_fifo_data(struct motion_sensor_t *accel, uint8_t *fifo, while (flen > 0) { struct ec_response_motion_sensor_data vect; - int id = agm_maps[fifo_next(private)]; - int *axis = (accel + id)->raw_xyz; + int id; + int *axis; + int next_fifo = fifo_next(private); + /* + * This should never happen, but it could. There will be a + * report from inside fifo_next about it, so no extra message + * required here. + */ + if (next_fifo == FIFO_DEV_INVALID) { + return; + } + id = agm_maps[next_fifo]; + axis = (accel + id)->raw_xyz; /* Apply precision, sensitivity and rotation. */ st_normalize(accel + id, axis, fifo); |