From 8d1f7531ff379befc129a6447642061e87562bca Mon Sep 17 00:00:00 2001 From: Hariram Purushothaman Date: Tue, 23 Jul 2013 15:39:09 -0700 Subject: msm: camera: Check stats index MAX in ISP driver Add a check for the stats index MAX using MSM_ISP_STATS_MAX before accessing stream info using that index to avoid any invalid memory access. Change-Id: Iaade2af5d0e3e073e9519961a0f84a93038284bf CRs-Fixed: 514711 Signed-off-by: Hariram Purushothaman --- .../msm/camera_v2/isp/msm_isp_stats_util.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c index d857a14..33f63b3 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c @@ -150,6 +150,12 @@ int msm_isp_stats_create_stream(struct vfe_device *vfe_dev, stats_idx = vfe_dev->hw_info->vfe_ops.stats_ops. get_stats_idx(stream_req_cmd->stats_type); + if ((stats_idx > MSM_ISP_STATS_MAX) || + (stats_idx == -EINVAL)) { + pr_err("%s: Stats idx Error\n", __func__); + return rc; + } + stream_info = &stats_data->stream_info[stats_idx]; if (stream_info->state != STATS_AVALIABLE) { pr_err("%s: Stats already requested\n", __func__); @@ -188,7 +194,7 @@ int msm_isp_stats_create_stream(struct vfe_device *vfe_dev, int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg) { - int rc = 0; + int rc = -1; struct msm_vfe_stats_stream_request_cmd *stream_req_cmd = arg; struct msm_vfe_stats_stream *stream_info = NULL; struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data; @@ -202,6 +208,11 @@ int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg) } stats_idx = STATS_IDX(stream_req_cmd->stream_handle); + if (stats_idx > MSM_ISP_STATS_MAX) { + pr_err("%s: Stats idx Error\n", __func__); + return rc; + } + stream_info = &stats_data->stream_info[stats_idx]; framedrop_period = msm_isp_get_framedrop_period( @@ -228,9 +239,14 @@ int msm_isp_release_stats_stream(struct vfe_device *vfe_dev, void *arg) struct msm_vfe_stats_stream_release_cmd *stream_release_cmd = arg; struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data; int stats_idx = STATS_IDX(stream_release_cmd->stream_handle); - struct msm_vfe_stats_stream *stream_info = - &stats_data->stream_info[stats_idx]; + struct msm_vfe_stats_stream *stream_info = NULL; + + if (stats_idx > MSM_ISP_STATS_MAX) { + pr_err("%s: Stats idx Error\n", __func__); + return rc; + } + stream_info = &stats_data->stream_info[stats_idx]; if (stream_info->state == STATS_AVALIABLE) { pr_err("%s: stream already release\n", __func__); return rc; -- cgit v1.1