From 64b7bc25e019dd07e8042e0a6ec6dc6a1dd0c385 Mon Sep 17 00:00:00 2001 From: Pratap Nirujogi Date: Mon, 20 Feb 2017 17:29:33 +0530 Subject: msm: camera: cpp: Fixing Heap overflow in output buffer Issue: Missing bound check when writing into the output array buffer, which can lead to out-of-bound heap write. Fix: Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT macro and size check to the place where the array is accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT. Caller will return -EINVAL for '0'. Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f CRs-Fixed: 2004036 Signed-off-by: Pratap Nirujogi --- drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 2 ++ include/uapi/media/msmb_pproc.h | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c index e35a744..19d9bbb 100644 --- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c +++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c @@ -2045,6 +2045,8 @@ static int msm_cpp_check_buf_type(struct msm_buf_mngr_info *buff_mgr_info, /* More or equal bufs as Input buffer */ num_output_bufs = new_frame->batch_info.batch_size; } + if (num_output_bufs > MSM_OUTPUT_BUF_CNT) + return 0; for (i = 0; i < num_output_bufs; i++) { new_frame->output_buffer_info[i].index = buff_mgr_info->user_buf.buf_idx[i]; diff --git a/include/uapi/media/msmb_pproc.h b/include/uapi/media/msmb_pproc.h index b65669b..8f45457 100644 --- a/include/uapi/media/msmb_pproc.h +++ b/include/uapi/media/msmb_pproc.h @@ -16,6 +16,7 @@ #define MSM_CPP_MAX_FRAME_LENGTH 4096 #define MSM_CPP_MAX_FW_NAME_LEN 32 #define MAX_FREQ_TBL 10 +#define MSM_OUTPUT_BUF_CNT 8 enum msm_cpp_frame_type { MSM_CPP_OFFLINE_FRAME, @@ -76,7 +77,7 @@ struct msm_cpp_frame_info_t { uint32_t feature_mask; uint8_t we_disable; struct msm_cpp_buffer_info_t input_buffer_info; - struct msm_cpp_buffer_info_t output_buffer_info[8]; + struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT]; struct msm_cpp_buffer_info_t duplicate_buffer_info; struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2]; uint32_t reserved; -- cgit v1.1