evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: vidc: Fix possible out of bound array access

Browse source 
Fix possible out of bound array access by
putting bounds check in __map_and_update_binfo.
Use u32 to access array to simplify bounds check.

Change-Id: I127fdc76fc273c0bcca727e9264a1d0f208dac1b
Signed-off-by: Surajit Podder <spodder@codeaurora.org>
This commit is contained in:
Surajit Podder 2017-08-11 13:12:18 +05:30
parent a49bb61510
commit 07a24dd5e6
1 changed files with 13 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
drivers/media/platform/msm/vidc/msm_vidc.c
View file

@ -533,11 +533,18 @@ static inline void save_v4l2_buffer(struct v4l2_buffer *b,
static int __map_and_update_binfo(struct msm_vidc_inst *inst,
struct buffer_info *binfo,
struct v4l2_buffer *b, int i)
struct v4l2_buffer *b, u32 i)
{
int rc = 0;
struct msm_smem *same_fd_handle = NULL;
if (i >= VIDEO_MAX_PLANES) {
dprintk(VIDC_ERR, "Num planes exceeds max: %d, %d\n",
i, VIDEO_MAX_PLANES);
rc = -EINVAL;
goto exit;
}
same_fd_handle = get_same_fd_buffer(
inst, b->m.planes[i].reserved[0]);
@ -558,6 +565,7 @@ static int __map_and_update_binfo(struct msm_vidc_inst *inst,
b->m.planes[i].m.userptr = binfo->device_addr[i];
}
exit:
return rc;
}
@ -565,7 +573,8 @@ static int __handle_fw_referenced_buffers(struct msm_vidc_inst *inst,
struct buffer_info *binfo,
struct v4l2_buffer *b)
{
int i = 0, rc = 0;
int rc = 0;
u32 i = 0;
if (EXTRADATA_IDX(b->length)) {
i = EXTRADATA_IDX(b->length);
@ -583,8 +592,8 @@ int map_and_register_buf(struct msm_vidc_inst *inst, struct v4l2_buffer *b)
{
struct buffer_info *binfo = NULL;
struct buffer_info *temp = NULL, *iterator = NULL;
int plane = 0;
int i = 0, rc = 0;
int plane = 0, rc = 0;
u32 i = 0;
if (!b || !inst) {
dprintk(VIDC_ERR, "%s: invalid input\n", __func__);