From 61b419297e13ed9a28e9b880548b2d96d4aa6c0d Mon Sep 17 00:00:00 2001
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Date: Wed, 29 Jun 2016 14:34:31 +0530
Subject: msm: camera: Fix memory read by adding bounds check

Adds bound check on reg_cfg_cmd->u.dmi_info.hi_tbl_offset.

IOCTL VIDIOC_MSM_VFE_REG_CFG uses usersupplied value without
performing bounds check for following cmd_type.
VFE_READ_DMI_16BIT
VFE_READ_DMI_32BIT
VFE_READ_DMI_64BIT

Change-Id: I554c45ef3a172f5b5891b67a7e8e7a1f3f3882ed
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
index 8e7cb68..86392c6 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
@@ -1234,7 +1234,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
 	case VFE_READ_DMI_16BIT:
 	case VFE_READ_DMI_32BIT:
 	case VFE_READ_DMI_64BIT: {
-		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
+		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT ||
+			reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
 			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
 				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
 				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
-- 
cgit v1.1