mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-23 22:01:08 -05:00
126 lines
4.3 KiB
Diff
126 lines
4.3 KiB
Diff
|
From 8c5300aec8cd9882b89e9d169680221541da0d7f Mon Sep 17 00:00:00 2001
|
||
|
From: Monika Alekhya <malekh@codeaurora.org>
|
||
|
Date: Fri, 28 Jun 2013 18:23:40 +0530
|
||
|
Subject: msm:camera: Fix overflow issue in ioctl_hw_cmds function
|
||
|
|
||
|
'len' is of type signed int 32bit,but the assigned value
|
||
|
may exceed maximum unsigned int32 range.Add overflow check
|
||
|
and graceful exit if 'm'exceeds UINT32_MAX value.
|
||
|
|
||
|
Change-Id: I38f0d10a0cb44d08d0054f91044fc891c246ebd1
|
||
|
CRs-Fixed: 493314
|
||
|
Signed-off-by: Monika Alekhya <malekh@codeaurora.org>
|
||
|
---
|
||
|
drivers/media/video/msm/gemini/msm_gemini_sync.c | 9 ++++++++-
|
||
|
drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c | 10 ++++++++--
|
||
|
drivers/media/video/msm/mercury/msm_mercury_sync.c | 10 ++++++++--
|
||
|
3 files changed, 24 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/media/video/msm/gemini/msm_gemini_sync.c b/drivers/media/video/msm/gemini/msm_gemini_sync.c
|
||
|
index ef727fd..f5089ae 100644
|
||
|
--- a/drivers/media/video/msm/gemini/msm_gemini_sync.c
|
||
|
+++ b/drivers/media/video/msm/gemini/msm_gemini_sync.c
|
||
|
@@ -23,6 +23,7 @@
|
||
|
#include <mach/msm_bus.h>
|
||
|
#include <mach/msm_bus_board.h>
|
||
|
|
||
|
+# define UINT32_MAX (4294967295U)
|
||
|
static int release_buf;
|
||
|
|
||
|
/* size is based on 4k page size */
|
||
|
@@ -804,7 +805,7 @@ int msm_gemini_ioctl_hw_cmds(struct msm_gemini_device *pgmn_dev,
|
||
|
void * __user arg)
|
||
|
{
|
||
|
int is_copy_to_user;
|
||
|
- int len;
|
||
|
+ uint32_t len;
|
||
|
uint32_t m;
|
||
|
struct msm_gemini_hw_cmds *hw_cmds_p;
|
||
|
struct msm_gemini_hw_cmd *hw_cmd_p;
|
||
|
@@ -813,6 +814,12 @@ int msm_gemini_ioctl_hw_cmds(struct msm_gemini_device *pgmn_dev,
|
||
|
GMN_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
|
||
|
return -EFAULT;
|
||
|
}
|
||
|
+ if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_gemini_hw_cmds))/
|
||
|
+ sizeof(struct msm_gemini_hw_cmd)))) {
|
||
|
+ GMN_PR_ERR("%s:%d] outof range of hwcmds\n",
|
||
|
+ __func__, __LINE__);
|
||
|
+ return -EINVAL;
|
||
|
+ }
|
||
|
|
||
|
len = sizeof(struct msm_gemini_hw_cmds) +
|
||
|
sizeof(struct msm_gemini_hw_cmd) * (m - 1);
|
||
|
diff --git a/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c b/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
|
||
|
index 6ac4a5e..4a81fa6 100644
|
||
|
--- a/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
|
||
|
+++ b/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
|
||
|
@@ -22,6 +22,7 @@
|
||
|
#include "msm_jpeg_platform.h"
|
||
|
#include "msm_jpeg_common.h"
|
||
|
|
||
|
+#define UINT32_MAX (4294967295U)
|
||
|
static int release_buf;
|
||
|
|
||
|
inline void msm_jpeg_q_init(char const *name, struct msm_jpeg_q *q_p)
|
||
|
@@ -631,7 +632,7 @@ int msm_jpeg_ioctl_hw_cmds(struct msm_jpeg_device *pgmn_dev,
|
||
|
void * __user arg)
|
||
|
{
|
||
|
int is_copy_to_user;
|
||
|
- int len;
|
||
|
+ uint32_t len;
|
||
|
uint32_t m;
|
||
|
struct msm_jpeg_hw_cmds *hw_cmds_p;
|
||
|
struct msm_jpeg_hw_cmd *hw_cmd_p;
|
||
|
@@ -640,7 +641,12 @@ int msm_jpeg_ioctl_hw_cmds(struct msm_jpeg_device *pgmn_dev,
|
||
|
JPEG_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
|
||
|
return -EFAULT;
|
||
|
}
|
||
|
-
|
||
|
+ if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_jpeg_hw_cmds))/
|
||
|
+ sizeof(struct msm_jpeg_hw_cmd)))) {
|
||
|
+ JPEG_PR_ERR("%s:%d] outof range of hwcmds\n",
|
||
|
+ __func__, __LINE__);
|
||
|
+ return -EINVAL;
|
||
|
+ }
|
||
|
len = sizeof(struct msm_jpeg_hw_cmds) +
|
||
|
sizeof(struct msm_jpeg_hw_cmd) * (m - 1);
|
||
|
hw_cmds_p = kmalloc(len, GFP_KERNEL);
|
||
|
diff --git a/drivers/media/video/msm/mercury/msm_mercury_sync.c b/drivers/media/video/msm/mercury/msm_mercury_sync.c
|
||
|
index 9293aad..fe74a0a 100644
|
||
|
--- a/drivers/media/video/msm/mercury/msm_mercury_sync.c
|
||
|
+++ b/drivers/media/video/msm/mercury/msm_mercury_sync.c
|
||
|
@@ -24,6 +24,7 @@
|
||
|
#include "msm_mercury_macros.h"
|
||
|
#include "msm_mercury_hw_reg.h"
|
||
|
|
||
|
+#define UINT32_MAX (4294967295U)
|
||
|
static struct msm_mercury_core_buf out_buf_local;
|
||
|
static struct msm_mercury_core_buf in_buf_local;
|
||
|
|
||
|
@@ -470,7 +471,7 @@ int msm_mercury_ioctl_hw_cmds(struct msm_mercury_device *pmercury_dev,
|
||
|
void * __user arg)
|
||
|
{
|
||
|
int is_copy_to_user;
|
||
|
- int len;
|
||
|
+ uint32_t len;
|
||
|
uint32_t m;
|
||
|
struct msm_mercury_hw_cmds *hw_cmds_p;
|
||
|
struct msm_mercury_hw_cmd *hw_cmd_p;
|
||
|
@@ -479,7 +480,12 @@ int msm_mercury_ioctl_hw_cmds(struct msm_mercury_device *pmercury_dev,
|
||
|
MCR_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
|
||
|
return -EFAULT;
|
||
|
}
|
||
|
-
|
||
|
+ if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_mercury_hw_cmds))/
|
||
|
+ sizeof(struct msm_mercury_hw_cmd)))) {
|
||
|
+ MCR_PR_ERR("%s:%d] outof range of hwcmds\n",
|
||
|
+ __func__, __LINE__);
|
||
|
+ return -EINVAL;
|
||
|
+ }
|
||
|
len = sizeof(struct msm_mercury_hw_cmds) +
|
||
|
sizeof(struct msm_mercury_hw_cmd) * (m - 1);
|
||
|
hw_cmds_p = kmalloc(len, GFP_KERNEL);
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|