From cf3c97b8b6165f13810e530068fbf94b07f1f77d Mon Sep 17 00:00:00 2001 From: Ping Li Date: Tue, 3 Jan 2017 11:48:06 -0800 Subject: msm: mdss: Add sanity check for Gamut LUT size The Gamut LUT size passed from user space needs to go through a sanity check to avoid heap overflow. This patch adds the missing sanity check in the Gamut LUT config write path. Change-Id: I365938e06dbc6ca01961c9be01db10a5a9c863e4 Signed-off-by: Ping Li --- drivers/video/fbdev/msm/mdss_mdp_pp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/msm/mdss_mdp_pp.c b/drivers/video/fbdev/msm/mdss_mdp_pp.c index 30dd3c8..951beae 100644 --- a/drivers/video/fbdev/msm/mdss_mdp_pp.c +++ b/drivers/video/fbdev/msm/mdss_mdp_pp.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -4827,6 +4827,11 @@ gamut_clk_off: goto gamut_set_dirty; } } + if (pp_gm_has_invalid_lut_size(config)) { + pr_debug("invalid lut size for gamut\n"); + ret = -EINVAL; + goto gamut_config_exit; + } local_cfg = *config; tbl_off = mdss_pp_res->gamut_tbl[disp_num]; for (i = 0; i < MDP_GAMUT_TABLE_NUM; i++) { -- cgit v1.1