msm: mdss: Add bounds check in mdss_compat_overlay_ioctl · 19c2832f43 - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

msm: mdss: Add bounds check in mdss_compat_overlay_ioctl

A bounds check has to be done on ovlist32->num_overlays variable
so as to prevent memory allocation of arbitrary size and avoid
subsequent undetermined behaviour.

Change-Id: Ic70726f1825040e793ef256195d236d77b392791
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Signed-off-by: Krishna Chaitanya Parimi <cparimi@codeaurora.org>

This commit is contained in:

Raghavendra Ambadas

2014-06-17 14:50:30 +05:30

• committed by

David Keitel

parent 153e6b81dd

commit 19c2832f43

3 changed files with 7 additions and 2 deletions

									
										6

drivers/video/fbdev/msm/mdss_compat_utils.c
									
										View file
										
				@ -23,6 +23,7 @@

				#include "mdss_fb.h"

				#include "mdss_compat_utils.h"

				#include "mdss_mdp_hwio.h"

				#include "mdss_mdp.h"

				#define MSMFB_SET_LUT32 _IOW(MSMFB_IOCTL_MAGIC, 131, struct fb_cmap32)

				#define MSMFB_HISTOGRAM32 _IOWR(MSMFB_IOCTL_MAGIC, 132,\

				@ -2525,6 +2526,11 @@ int mdss_compat_overlay_ioctl(struct fb_info *info, unsigned int cmd,

							return -EFAULT;

						}

						if (num_overlays >= OVERLAY_MAX) {

							pr_err("%s: No: of overlays exceeds max\n", __func__);

							return -EINVAL;

						}

						layers_sz = num_overlays * sizeof(struct mdp_overlay);

						prepare_sz = sizeof(struct mdp_overlay_list);

						layers_refs_sz = num_overlays * sizeof(struct mdp_overlay *);

									
										1

drivers/video/fbdev/msm/mdss_mdp.h
									
										View file
										
				@ -47,6 +47,7 @@

				#define MDP_MIN_VBP		4

				#define MDP_MIN_FETCH		9

				#define MAX_FREE_LIST_SIZE	12

				#define OVERLAY_MAX		10

				#define C3_ALPHA	3	/* alpha */

				#define C2_R_Cr		2	/* R/Cr */

									
										2

drivers/video/fbdev/msm/mdss_mdp_overlay.c
									
										View file
										
				@ -44,8 +44,6 @@

				#define IS_RIGHT_MIXER_OV(flags, dst_x, left_lm_w)	\

					((flags & MDSS_MDP_RIGHT_MIXER) || (dst_x >= left_lm_w))

				#define OVERLAY_MAX 10

				static int mdss_mdp_overlay_free_fb_pipe(struct msm_fb_data_type *mfd);

				static int mdss_mdp_overlay_fb_parse_dt(struct msm_fb_data_type *mfd);

				static int mdss_mdp_overlay_off(struct msm_fb_data_type *mfd);