From d495811844ff2c2eb80b693f07f3f33e8be007d2 Mon Sep 17 00:00:00 2001
From: huyx <huyuxiang8@h-partners.com>
Date: Tue, 13 Aug 2024 16:59:19 +0800
Subject: [PATCH 1/2] =?UTF-8?q?=E4=BB=A3=E7=A0=81=E6=8E=92=E9=9B=B7-UAF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: huyx <huyuxiang8@h-partners.com>
---
 .../linux/model/camera/src/camera_buffer_manager_adapter.c | 7 +++++++
 adapter/khdf/linux/model/camera/src/virtual_malloc.c       | 3 +++
 adapter/khdf/liteos/model/storage/src/mtd/mtd_char_lite.c  | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/adapter/khdf/linux/model/camera/src/camera_buffer_manager_adapter.c b/adapter/khdf/linux/model/camera/src/camera_buffer_manager_adapter.c
index 0c28d6f10..acb27737b 100644
--- a/adapter/khdf/linux/model/camera/src/camera_buffer_manager_adapter.c
+++ b/adapter/khdf/linux/model/camera/src/camera_buffer_manager_adapter.c
@@ -58,6 +58,9 @@ static void CommonVmOpen(struct vm_area_struct *vma)
         return;
     }
     struct VmareaHandler *handler = vma->vm_private_data;
+    if (handler == NULL || handler->refCount) {
+        return;
+    }
 
     refcount_inc(handler->refCount);
 }
@@ -69,6 +72,10 @@ static void CommonVmClose(struct vm_area_struct *vma)
     }
     struct VmareaHandler *handler = vma->vm_private_data;
 
+    if (handler == NULL || handler->arg == NULL) {
+        return;
+    }
+
     handler->free(handler->arg);
 }
 
diff --git a/adapter/khdf/linux/model/camera/src/virtual_malloc.c b/adapter/khdf/linux/model/camera/src/virtual_malloc.c
index 2d723b75e..e33e3e0a7 100644
--- a/adapter/khdf/linux/model/camera/src/virtual_malloc.c
+++ b/adapter/khdf/linux/model/camera/src/virtual_malloc.c
@@ -24,6 +24,9 @@ struct VmallocBuffer {
 static void VmallocMmapFree(void *bufPriv)
 {
     struct VmallocBuffer *buf = bufPriv;
+    if (buf == NULL) {
+        return;
+    }
 
     if (refcount_dec_and_test(&buf->refCount) != 0) {
         vfree(buf->vaddr);
diff --git a/adapter/khdf/liteos/model/storage/src/mtd/mtd_char_lite.c b/adapter/khdf/liteos/model/storage/src/mtd/mtd_char_lite.c
index 5decd9bd7..040d92fd9 100644
--- a/adapter/khdf/liteos/model/storage/src/mtd/mtd_char_lite.c
+++ b/adapter/khdf/liteos/model/storage/src/mtd/mtd_char_lite.c
@@ -98,6 +98,9 @@ static int MtdCharClose(FAR struct file *filep)
     struct drv_data *drv = (struct drv_data *)filep->f_vnode->data;
     mtd_partition *partition = (mtd_partition *)drv->priv;
     struct MtdFileInfo *mfi = (struct MtdFileInfo *)(filep->f_priv);
+    if (mfi == NULL) {
+        return EFAIL;
+    }
 
     (void)LOS_MuxLock(&partition->lock, LOS_WAIT_FOREVER);
 
-- 
Gitee


From f9c8082b4e09c473680a62351e9c721e919303b0 Mon Sep 17 00:00:00 2001
From: huyx <huyuxiang8@h-partners.com>
Date: Wed, 14 Aug 2024 09:39:28 +0800
Subject: [PATCH 2/2] =?UTF-8?q?=E4=BC=98=E5=8C=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: huyx <huyuxiang8@h-partners.com>
---
 .../khdf/linux/model/camera/src/camera_buffer_manager_adapter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/adapter/khdf/linux/model/camera/src/camera_buffer_manager_adapter.c b/adapter/khdf/linux/model/camera/src/camera_buffer_manager_adapter.c
index acb27737b..3bee93f79 100644
--- a/adapter/khdf/linux/model/camera/src/camera_buffer_manager_adapter.c
+++ b/adapter/khdf/linux/model/camera/src/camera_buffer_manager_adapter.c
@@ -58,7 +58,7 @@ static void CommonVmOpen(struct vm_area_struct *vma)
         return;
     }
     struct VmareaHandler *handler = vma->vm_private_data;
-    if (handler == NULL || handler->refCount) {
+    if (handler == NULL || handler->refCount == NULL) {
         return;
     }
 
-- 
Gitee