From af85054aa6a1bcd38be2354921f2f80aef1440e5 Mon Sep 17 00:00:00 2001
From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
Date: Fri, 1 Nov 2013 21:06:37 +0530
Subject: msm: vidc: Validate userspace buffer count

Makesure the number of buffers count is less than
the maximum limit to avoid structure overflow errors.

Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31
CRs-fixed: 563694
Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
---
 drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
 include/media/msm/vidc_init.h            | 1 +
 2 files changed, 7 insertions(+)

diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
index a843889..b45100f 100644
--- a/drivers/video/msm/vidc/common/dec/vdec.c
+++ b/drivers/video/msm/vidc/common/dec/vdec.c
@@ -1201,6 +1201,12 @@ static u32 vid_dec_set_h264_mv_buffers(struct video_client_ctx *client_ctx,
 	vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd;
 	vcd_h264_mv_buffer->offset = mv_data->offset;
 
+	if (mv_data->count > MAX_MV_BUFFERS) {
+		ERR("MV buffers maximum count reached, count = %d",
+			mv_data->count);
+		return false;
+	}
+
 	if (!vcd_get_ion_status()) {
 		if (get_pmem_file(vcd_h264_mv_buffer->pmem_fd,
 			(unsigned long *) (&(vcd_h264_mv_buffer->
diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h
index c35f770..5df0c3e 100644
--- a/include/media/msm/vidc_init.h
+++ b/include/media/msm/vidc_init.h
@@ -20,6 +20,7 @@
 #define VIDC_MAX_NUM_CLIENTS 4
 #define MAX_VIDEO_NUM_OF_BUFF 100
 #define MAX_META_BUFFERS 32
+#define MAX_MV_BUFFERS 32
 
 enum buffer_dir {
 	BUFFER_TYPE_INPUT,
-- 
cgit v1.1