From 07a24dd5e6fd9c65d8b2a7086fe89f54f22a2ee5 Mon Sep 17 00:00:00 2001 From: Surajit Podder Date: Fri, 11 Aug 2017 13:12:18 +0530 Subject: [PATCH] msm: vidc: Fix possible out of bound array access Fix possible out of bound array access by putting bounds check in __map_and_update_binfo. Use u32 to access array to simplify bounds check. Change-Id: I127fdc76fc273c0bcca727e9264a1d0f208dac1b Signed-off-by: Surajit Podder --- drivers/media/platform/msm/vidc/msm_vidc.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/msm/vidc/msm_vidc.c b/drivers/media/platform/msm/vidc/msm_vidc.c index de4705c3d2eb..3677bb6e32e6 100644 --- a/drivers/media/platform/msm/vidc/msm_vidc.c +++ b/drivers/media/platform/msm/vidc/msm_vidc.c @@ -533,11 +533,18 @@ static inline void save_v4l2_buffer(struct v4l2_buffer *b, static int __map_and_update_binfo(struct msm_vidc_inst *inst, struct buffer_info *binfo, - struct v4l2_buffer *b, int i) + struct v4l2_buffer *b, u32 i) { int rc = 0; struct msm_smem *same_fd_handle = NULL; + if (i >= VIDEO_MAX_PLANES) { + dprintk(VIDC_ERR, "Num planes exceeds max: %d, %d\n", + i, VIDEO_MAX_PLANES); + rc = -EINVAL; + goto exit; + } + same_fd_handle = get_same_fd_buffer( inst, b->m.planes[i].reserved[0]); @@ -558,6 +565,7 @@ static int __map_and_update_binfo(struct msm_vidc_inst *inst, b->m.planes[i].m.userptr = binfo->device_addr[i]; } +exit: return rc; } @@ -565,7 +573,8 @@ static int __handle_fw_referenced_buffers(struct msm_vidc_inst *inst, struct buffer_info *binfo, struct v4l2_buffer *b) { - int i = 0, rc = 0; + int rc = 0; + u32 i = 0; if (EXTRADATA_IDX(b->length)) { i = EXTRADATA_IDX(b->length); @@ -583,8 +592,8 @@ int map_and_register_buf(struct msm_vidc_inst *inst, struct v4l2_buffer *b) { struct buffer_info *binfo = NULL; struct buffer_info *temp = NULL, *iterator = NULL; - int plane = 0; - int i = 0, rc = 0; + int plane = 0, rc = 0; + u32 i = 0; if (!b || !inst) { dprintk(VIDC_ERR, "%s: invalid input\n", __func__);