evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: isp: fix for potentitial array out of bound access

Browse source 
There is no bound check on dual_hw_ms_cmd->num_src,
which is coming from userspace
num_src is used as the limit for the for loop.
The max num_src can hold is 255 (type uint8_t).
This implies that i can go upto to 254.
However dual_hw_ms_cmd->input_src can only hold 5 bytes.
So, we may acces out of bound array.

CRs-Fixed: 2006169

Change-Id: If5927e06e70cce4afb0ae9f2cdfec80f76f83771
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
This commit is contained in:
Senthil Kumar Rajagopal 2017-02-15 15:08:09 +05:30 committed by Gerrit - the friendly Code Review server
parent 10a55a5874
commit 9fa25bf455
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
View file

@ -630,6 +630,13 @@ static int msm_isp_set_dual_HW_master_slave_mode(
}
ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id,
dual_hw_ms_cmd->num_src);
if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) {
pr_err("%s: Error! Invalid num_src %d\n", __func__,
dual_hw_ms_cmd->num_src);
spin_unlock_irqrestore(&vfe_dev->common_data->
common_dev_data_lock, flags);
return -EINVAL;
}
/* This for loop is for non-primary intf to be marked with Master/Slave
* in order for frame id sync. But their timestamp is not saved.
* So no sof_info resource is allocated */