msm: camera: sensor: Offset Validation before dereferencing

- Validation of settings_array_offset which is populated
  from umd as sizeof(CSLTPGSettingsConfigCmd).

CRs-Fixed: 3788500
Change-Id: Ic848d537f1b56bcfc47b295b063e9670313c9a33
Signed-off-by: Abhilash Mahapatra <[email protected]>

drivers/cam_sensor_module/cam_tpg/tpg_hw/tpg_hw.c

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include "tpg_hw.h"
@@ -1086,6 +1086,12 @@ int tpg_hw_copy_settings_config(
 		return -EINVAL;
 	}
 
+	if (settings->settings_array_offset >
+		sizeof(struct tpg_settings_config_t)) {
+		CAM_ERR(CAM_TPG, "Invalid Array Offset");
+		return -EINVAL;
+	}
+
 	reg_settings = (struct tpg_reg_settings *)
 		((uint8_t *)settings + settings->settings_array_offset);