From 6724296d3f3b2821b83219768c1b9e971e380a9f Mon Sep 17 00:00:00 2001
From: Sriraj Hebbar <srirajh@qti.qualcomm.com>
Date: Fri, 30 Jun 2017 13:14:28 +0530
Subject: msm: camera: isp: Handle array out of bound access

The pointer req_frm is coming from userspace, it may overflow stream_info.
Adding a bound check to prevent the same.

CRs-fixed: 2008683
Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
Signed-off-by: Andy Sun <bins@codeaurora.org>
---
 drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
index 373a963..a85ee30 100644
--- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
+++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
 	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
 		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
 			&update_cmd->req_frm_ver2;
+		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
+			pr_err("%s: Invalid stream handle\n", __func__);
+			rc = -EINVAL;
+			break;
+		}
+
 		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
 				req_frm->stream_handle)];
 		rc = msm_isp_request_frame(vfe_dev, stream_info,
-- 
cgit v1.1