From f46f39735feb6d659ff019282726380448871ddf Mon Sep 17 00:00:00 2001
From: "Sravan Kumar D.V.N" <sravank1@codeaurora.org>
Date: Tue, 17 Jan 2017 12:11:56 +0530
Subject: [PATCH] msm: mdss: Fix possible integer overflow

Avoid possible integer overflow while validating mdp3
lut config parameters.

Change-Id: Ie3f59748e613fbbf755a98dcc688491a8c4e2cca
CRs-Fixed: 1104664
Signed-off-by: Sravan Kumar D.V.N <sravank1@codeaurora.org>
---
 drivers/video/fbdev/msm/mdp3_ctrl.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/video/fbdev/msm/mdp3_ctrl.c b/drivers/video/fbdev/msm/mdp3_ctrl.c
index da6c68d43b53..fc89a2ea772e 100644
--- a/drivers/video/fbdev/msm/mdp3_ctrl.c
+++ b/drivers/video/fbdev/msm/mdp3_ctrl.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -2147,8 +2147,10 @@ static int mdp3_ctrl_lut_config(struct msm_fb_data_type *mfd,
 
 	dma = mdp3_session->dma;
 
-	if (cfg->cmap.start + cfg->cmap.len > MDP_LUT_SIZE) {
-		pr_err("Invalid arguments\n");
+	if ((cfg->cmap.start > MDP_LUT_SIZE) ||
+		(cfg->cmap.len > MDP_LUT_SIZE) ||
+		(cfg->cmap.start + cfg->cmap.len > MDP_LUT_SIZE)) {
+		pr_err("Invalid arguments.\n");
 		return  -EINVAL;
 	}