msm: camera: cpp: Fixing Heap overflow in output buffer

Issue:
Missing bound check when writing into the output array
buffer, which can lead to out-of-bound heap write.

Fix:
Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT
macro and size check to the place where the array is
accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT.
Caller will return -EINVAL for '0'.

Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f
CRs-Fixed: 2004036
Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>

drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c

@@ -2116,6 +2116,8 @@ static int msm_cpp_check_buf_type(struct msm_buf_mngr_info *buff_mgr_info,
 			/* More or equal bufs as Input buffer */
 			num_output_bufs = new_frame->batch_info.batch_size;
 		}
+		if (num_output_bufs > MSM_OUTPUT_BUF_CNT)
+			return 0;
 		for (i = 0; i < num_output_bufs; i++) {
 			new_frame->output_buffer_info[i].index =
 				buff_mgr_info->user_buf.buf_idx[i];

include/uapi/media/msmb_pproc.h

@@ -16,6 +16,7 @@
 #define MSM_CPP_MAX_FRAME_LENGTH 4096
 #define MSM_CPP_MAX_FW_NAME_LEN 32
 #define MAX_FREQ_TBL 10
+#define MSM_OUTPUT_BUF_CNT 8
 
 enum msm_cpp_frame_type {
 	MSM_CPP_OFFLINE_FRAME,
@@ -76,7 +77,7 @@ struct msm_cpp_frame_info_t {
 	uint32_t feature_mask;
 	uint8_t we_disable;
 	struct msm_cpp_buffer_info_t input_buffer_info;
-	struct msm_cpp_buffer_info_t output_buffer_info[8];
+	struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT];
 	struct msm_cpp_buffer_info_t duplicate_buffer_info;
 	struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2];
 	uint32_t reserved;