From 3a42f1b79ed696f29350f170c00f27712ae84a36 Mon Sep 17 00:00:00 2001
From: Maggie White <maggiewhite@google.com>
Date: Wed, 5 Jul 2017 13:00:40 -0700
Subject: msm: camera: isp: fix for out of bound access array

There is no bound check in stream_cfg_cmd->num_streams and it's used in
several places as a maximum index into the stream_cfg_cmd->stream_handle
array which has a size of 15. Current code didn't check the maximum
index to make sure it didn't exceed the array size.

Bug: 62379525
Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0
Signed-off-by: Maggie White <maggiewhite@google.com>
---
 .../platform/msm/camera_v2/isp/msm_isp_stats_util.c   | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
index 82da3e0..43a2c77 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
@@ -550,6 +550,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev,
 	int i;
 	uint32_t stats_mask = 0, idx;
 
+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
+		pr_err("%s invalid num_streams %d\n", __func__,
+			stream_cfg_cmd->num_streams);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
 
@@ -630,6 +636,13 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev,
 		stats_data->stream_info);
 	if (rc < 0)
 		return rc;
+
+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
+		pr_err("%s invalid num_streams %d\n", __func__,
+			stream_cfg_cmd->num_streams);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
 
@@ -702,6 +715,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev,
 	num_stats_comp_mask =
 		vfe_dev->hw_info->stats_hw_info->num_stats_comp_mask;
 
+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
+		pr_err("%s invalid num_streams %d\n", __func__,
+			stream_cfg_cmd->num_streams);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
 
 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
-- 
cgit v1.1