From 31e2a2f0f2f3615cefd4400c707709bbc3e26170 Mon Sep 17 00:00:00 2001 From: Senthil Kumar Rajagopal Date: Wed, 15 Feb 2017 15:08:09 +0530 Subject: msm: isp: fix for potentitial array out of bound access There is no bound check on dual_hw_ms_cmd->num_src, which is coming from userspace num_src is used as the index for the input_src array which has a size of 5. The current code did not check the num_src to make sure that it never exceeds the input_src array size. CRs-Fixed: 2006169 Change-Id: If5927e06e70cce4afb0ae9f2cdfec80f76f83771 Signed-off-by: Senthil Kumar Rajagopal --- drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c index d8227e7..b2b39e0 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c @@ -618,6 +618,11 @@ static int msm_isp_set_dual_HW_master_slave_mode( } ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id, dual_hw_ms_cmd->num_src); + if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) { + pr_err("%s: Error! Invalid num_src %d\n", __func__, + dual_hw_ms_cmd->num_src); + return -EINVAL; + } /* This for loop is for non-primary intf to be marked with Master/Slave * in order for frame id sync. But their timestamp is not saved. * So no sof_info resource is allocated */ -- cgit v1.1