From 79db0d152398fab0421c2f1381f13a1ecc71a547 Mon Sep 17 00:00:00 2001
From: Rahul Sharma <sharah@codeaurora.org>
Date: Wed, 2 Aug 2017 14:07:43 +0530
Subject: [PATCH] msm: ais: Bound check for num_of_stream

- num of stream comes from userspace and used without
any bound check.It may result to overflow update_info.

Change-Id: I67341f3c3e1a3384474c35f6e6275d6e1917fdcd
CRs-Fixed: 2006829
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
---
 drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
index 6e89544161ee..0d08cffda25c 100644
--- a/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
+++ b/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
@@ -891,6 +891,12 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
 	struct msm_vfe_axi_stream_cfg_update_info *update_info = NULL;
 	struct msm_isp_sw_framskip *sw_skip_info = NULL;
 
+	if (update_cmd->num_streams > MSM_ISP_STATS_MAX) {
+		pr_err("%s: Invalid num_streams %d\n",
+			__func__, update_cmd->num_streams);
+		return -EINVAL;
+	}
+
 	/* validate request */
 	for (i = 0; i < update_cmd->num_streams; i++) {
 		update_info = (struct msm_vfe_axi_stream_cfg_update_info *)