From 718254e9fd705087be92603deb531f66d9a97c35 Mon Sep 17 00:00:00 2001
From: Naseer Ahmed <naseer@codeaurora.org>
Date: Wed, 11 Jan 2017 12:57:48 -0500
Subject: [PATCH] msm: mdss: Validate cursor image size

Check size of cursor image provided by userspace and return error
appropriately.

Bug: 34125463
CRs-Fixed: 1115406
Change-Id: I31aee3c9219921cf5c4306b36f8708582b838c38
Signed-off-by: Naseer Ahmed <naseer@codeaurora.org>
Signed-off-by: Rajkumar Subbiah <rsubbia@codeaurora.org>
---
 drivers/video/fbdev/msm/mdss_mdp_overlay.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/video/fbdev/msm/mdss_mdp_overlay.c b/drivers/video/fbdev/msm/mdss_mdp_overlay.c
index 9e295815da77..f81f815fafea 100644
--- a/drivers/video/fbdev/msm/mdss_mdp_overlay.c
+++ b/drivers/video/fbdev/msm/mdss_mdp_overlay.c
@@ -4367,12 +4367,21 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd,
 		start_y = 0;
 	}
 
+	if ((img->width > mdata->max_cursor_size) ||
+		(img->height > mdata->max_cursor_size) ||
+		(img->depth != 32) || (start_x >= xres) ||
+		(start_y >= yres)) {
+		pr_err("Invalid cursor image coordinates\n");
+		ret = -EINVAL;
+		goto done;
+	}
+
 	roi.w = min(xres - start_x, img->width - roi.x);
 	roi.h = min(yres - start_y, img->height - roi.y);
 
 	if ((roi.w > mdata->max_cursor_size) ||
-		(roi.h > mdata->max_cursor_size) ||
-		(img->depth != 32) || (start_x >= xres) || (start_y >= yres)) {
+		(roi.h > mdata->max_cursor_size)) {
+		pr_err("Invalid cursor ROI size\n");
 		ret = -EINVAL;
 		goto done;
 	}