From d793c6d91ecba2a1fd206ad47a4fd408d290addf Mon Sep 17 00:00:00 2001
From: Trilokesh Rangam <tranga@codeaurora.org>
Date: Wed, 23 Nov 2016 09:41:36 +0530
Subject: msm-camera: Addressing possible overflow conditions

Changes to address possible integer overflow and incorrect
array indexing conditions.

Change-Id: Ib134320cd6f7b34d7a10572ec347ec12127049a9
Signed-off-by: Trilokesh Rangam <tranga@codeaurora.org>
---
 drivers/media/video/msm/io/msm_camera_io_util.c |  6 +++++
 drivers/media/video/msm/msm_mctl_pp.c           | 36 ++++++++++++++++++++++---
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/drivers/media/video/msm/io/msm_camera_io_util.c b/drivers/media/video/msm/io/msm_camera_io_util.c
index cede05d..1d2a70c 100644
--- a/drivers/media/video/msm/io/msm_camera_io_util.c
+++ b/drivers/media/video/msm/io/msm_camera_io_util.c
@@ -181,6 +181,12 @@ int msm_camera_config_vreg(struct device *dev, struct camera_vreg_t *cam_vreg,
 		pr_err("%s:%d vreg sequence invalid\n", __func__, __LINE__);
 		return -EINVAL;
 	}
+
+	if (cam_vreg == NULL) {
+		pr_err("%s:%d cam_vreg sequence invalid\n", __func__, __LINE__);
+		return -EINVAL;
+	}
+
 	if (!num_vreg_seq)
 		num_vreg_seq = num_vreg;
 
diff --git a/drivers/media/video/msm/msm_mctl_pp.c b/drivers/media/video/msm/msm_mctl_pp.c
index 8f4f004..61321bf 100644
--- a/drivers/media/video/msm/msm_mctl_pp.c
+++ b/drivers/media/video/msm/msm_mctl_pp.c
@@ -36,6 +36,8 @@
 #define D(fmt, args...) do {} while (0)
 #endif
 
+#define UINT32_MAX       (4294967295U)
+
 static int msm_mctl_pp_buf_divert(
 			struct msm_cam_media_controller *pmctl,
 			struct msm_cam_v4l2_dev_inst *pcam_inst,
@@ -668,11 +670,24 @@ int msm_mctl_pp_done(
 			dirty = 1;
 		}
 	} else {
-		if (frame.num_planes > 1)
+		if (frame.num_planes > 1) {
+			if (frame.mp[0].phy_addr >
+					(UINT32_MAX - frame.mp[0].data_offset)) {
+				pr_err("%s:%d Invalid data offset\n", __func__, __LINE__);
+				return -EINVAL;
+
+			}
 			buf.ch_paddr[0] = frame.mp[0].phy_addr +
 						frame.mp[0].data_offset;
-		else
+		} else {
+				if (frame.sp.phy_addr >
+					(UINT32_MAX - frame.sp.y_off)) {
+					pr_err("%s:%d Invalid Y offset\n", __func__, __LINE__);
+					return -EINVAL;
+
+				}
 			buf.ch_paddr[0] = frame.sp.phy_addr + frame.sp.y_off;
+		}
 	}
 	spin_unlock_irqrestore(&p_mctl->pp_info.lock, flags);
 
@@ -713,11 +728,24 @@ int msm_mctl_pp_divert_done(
 		buf_handle.image_mode = frame.image_type;
 	}
 
-	if (frame.num_planes > 1)
+	if (frame.num_planes > 1) {
+			if (frame.mp[0].phy_addr >
+					(UINT32_MAX - frame.mp[0].data_offset)) {
+				pr_err("%s:%d Invalid data offset\n", __func__, __LINE__);
+				return -EINVAL;
+
+			}
 		buf.ch_paddr[0] = frame.mp[0].phy_addr +
 					frame.mp[0].data_offset;
-	else
+	} else {
+			if (frame.sp.phy_addr >
+				(UINT32_MAX - frame.sp.y_off)) {
+				pr_err("%s:%d Invalid Y offset\n", __func__, __LINE__);
+				return -EINVAL;
+
+			}
 		buf.ch_paddr[0] = frame.sp.phy_addr + frame.sp.y_off;
+	}
 
 	spin_unlock_irqrestore(&p_mctl->pp_info.lock, flags);
 
-- 
cgit v1.1