2017-11-07 17:32:46 -05:00
|
|
|
From 77c4aba67d89ba4055b7c9bd417f49593cba497b Mon Sep 17 00:00:00 2001
|
2017-10-29 01:48:53 -04:00
|
|
|
From: Kumar Behera <mohanb@codeaurora.org>
|
|
|
|
Date: Fri, 9 Dec 2016 09:55:00 -0800
|
|
|
|
Subject: msm: cpp: Fix for integer overflow in cpp
|
|
|
|
|
|
|
|
Due to integer overflow ,the bound check in config frame function
|
|
|
|
may pass and this may allow user to access invalid buffer. This
|
|
|
|
fix takes care of proper bound and don't allow integer overflow.
|
|
|
|
|
|
|
|
CRs-Fxied: 1097709
|
|
|
|
Change-Id: I504ad591633afaba82268b5ee27a321691d75c80
|
|
|
|
Signed-off-by: Kumar Behera <mohanb@codeaurora.org>
|
|
|
|
---
|
|
|
|
drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 9 ++++++++-
|
|
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
2017-11-07 17:32:46 -05:00
|
|
|
index b7724b4..5be2748 100644
|
2017-10-29 01:48:53 -04:00
|
|
|
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
|
|
|
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
2017-11-07 17:32:46 -05:00
|
|
|
@@ -2479,7 +2479,7 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
struct msm_buf_mngr_info buff_mgr_info, dup_buff_mgr_info;
|
|
|
|
int32_t in_fd;
|
|
|
|
int32_t num_output_bufs = 1;
|
|
|
|
- int32_t stripe_base = 0;
|
|
|
|
+ uint32_t stripe_base = 0;
|
|
|
|
uint32_t stripe_size;
|
|
|
|
uint8_t tnr_enabled;
|
|
|
|
enum msm_camera_buf_mngr_buf_type buf_type =
|
2017-11-07 17:32:46 -05:00
|
|
|
@@ -2514,6 +2514,13 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
|
2017-10-29 01:48:53 -04:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
+ if (stripe_base == UINT_MAX || new_frame->num_strips >
|
|
|
|
+ (UINT_MAX - 1 - stripe_base) / stripe_size) {
|
|
|
|
+ pr_err("Invalid frame message,num_strips %d is large\n",
|
|
|
|
+ new_frame->num_strips);
|
|
|
|
+ return -EINVAL;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
|
|
|
|
new_frame->msg_len) {
|
|
|
|
pr_err("Invalid frame message,len=%d,expected=%d\n",
|
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|