From a8cb976e7c8f25191728b655e0b38328a6d7d81f Mon Sep 17 00:00:00 2001 From: Benjamin Chan Date: Wed, 19 Apr 2017 16:24:40 -0400 Subject: msm: mdss: Add plane_count range check in mdss WFD For any given output buffer to the MDSS WFD, it is necessary to check the range of the plane_count against the MAX_PLANES definition, in order to avoid any out of bound access. CRs-Fixed: 2028702 Change-Id: I4f1497a3a2e4ca2d30fc268e68cfdacc0d8539ea Signed-off-by: Benjamin Chan --- drivers/video/fbdev/msm/mdss_mdp_layer.c | 6 ++++++ drivers/video/fbdev/msm/mdss_mdp_wfd.c | 8 +++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/msm/mdss_mdp_layer.c b/drivers/video/fbdev/msm/mdss_mdp_layer.c index 09a3422..5e96a08 100644 --- a/drivers/video/fbdev/msm/mdss_mdp_layer.c +++ b/drivers/video/fbdev/msm/mdss_mdp_layer.c @@ -3035,6 +3035,12 @@ int mdss_mdp_layer_pre_commit_wfd(struct msm_fb_data_type *mfd, wfd = mdp5_data->wfd; output_layer = commit->output_layer; + if (output_layer->buffer.plane_count > MAX_PLANES) { + pr_err("Output buffer plane_count exceeds MAX_PLANES limit:%d\n", + output_layer->buffer.plane_count); + return -EINVAL; + } + data = mdss_mdp_wfd_add_data(wfd, output_layer); if (IS_ERR_OR_NULL(data)) return PTR_ERR(data); diff --git a/drivers/video/fbdev/msm/mdss_mdp_wfd.c b/drivers/video/fbdev/msm/mdss_mdp_wfd.c index 71a07f6..7868dc0 100644 --- a/drivers/video/fbdev/msm/mdss_mdp_wfd.c +++ b/drivers/video/fbdev/msm/mdss_mdp_wfd.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -322,6 +322,12 @@ int mdss_mdp_wb_import_data(struct device *device, if (wfd_data->layer.flags & MDP_LAYER_SECURE_SESSION) flags = MDP_SECURE_OVERLAY_SESSION; + if (buffer->plane_count > MAX_PLANES) { + pr_err("buffer plane_count exceeds MAX_PLANES limit:%d", + buffer->plane_count); + return -EINVAL; + } + memset(planes, 0, sizeof(planes)); for (i = 0; i < buffer->plane_count; i++) { -- cgit v1.1