From 91ea960b91250eca57d8fbdb8aafa11d80695d46 Mon Sep 17 00:00:00 2001
From: VijayaKumar T M <vtmuni@codeaurora.org>
Date: Wed, 8 Jun 2016 16:32:11 +0530
Subject: msm: camera: ispif: Validate VFE num input during reset

Userspace supplies the actual number of used VFEs in session to ISPIF.
Validate the userspace input value and if found to be invalid, return
error.

CRs-Fixed: 898074
Signed-off-by: Venu Yeshala <vyeshala@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Change-Id: I3288ddb6404e817a705a92281b4c54666f372c56
---
 drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
index 7fb1ac1..94735fd 100644
--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
@@ -1133,9 +1133,13 @@ static irqreturn_t msm_io_ispif_irq(int irq_num, void *data)
 static int msm_ispif_set_vfe_info(struct ispif_device *ispif,
 	struct msm_ispif_vfe_info *vfe_info)
 {
-	memcpy(&ispif->vfe_info, vfe_info, sizeof(struct msm_ispif_vfe_info));
-	if (ispif->vfe_info.num_vfe > ispif->hw_num_isps)
+	if (!vfe_info || (vfe_info->num_vfe <= 0) ||
+		((uint32_t)(vfe_info->num_vfe) > ispif->hw_num_isps)) {
+		pr_err("Invalid VFE info: %p %d\n", vfe_info,
+			(vfe_info ? vfe_info->num_vfe:0));
 		return -EINVAL;
+	}
+	memcpy(&ispif->vfe_info, vfe_info, sizeof(struct msm_ispif_vfe_info));
 	return 0;
 }
 
-- 
cgit v1.1