msm: camera: isp: add bound check to handle array out of access

The pointer req_frm comes from userspace,
req_frm->stream_handle is passed as an argument to
the function msm_isp_get_stream_common_data,
stream_idx can overflow common_data->streams[] and
the code ends up copying an out of bound
kernel address into stream_info. Adding bound check to
handle the same.

CRs-fixed: 2008683
Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>

drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c

@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
 			&update_cmd->req_frm_ver2;
 		stream_info = msm_isp_get_stream_common_data(vfe_dev,
 				HANDLE_TO_IDX(req_frm->stream_handle));
+		if (stream_info == NULL) {
+			pr_err_ratelimited("%s: stream_info is NULL\n",
+				__func__);
+			rc = -EINVAL;
+			break;
+		}
 		rc = msm_isp_request_frame(vfe_dev, stream_info,
 			req_frm->user_stream_id,
 			req_frm->frame_id,

drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h

@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data(
 	struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data;
 	struct msm_vfe_axi_stream *stream_info;
 
+	if (stream_idx >= VFE_AXI_SRC_MAX) {
+		pr_err("invalid stream_idx %d\n", stream_idx);
+		return NULL;
+	}
+
 	if (vfe_dev->is_split &&  stream_idx < RDI_INTF_0)
 		stream_info = &common_data->streams[stream_idx];
 	else