From 420d0dc1b4563880f962002e8cb21e733bf074eb Mon Sep 17 00:00:00 2001 From: Harsh Sahu Date: Fri, 21 Apr 2017 16:12:22 -0700 Subject: [PATCH] msm: mdss: fix memcpy source and dest memory buffer size mismatch Currently memcpy is copying from a bigger memory size to a smaller memory size, which may lead to buffer overflow. This change corrects this issue by performing the memcopy restricted to the smaller of the src or dest memory buffer. Bug: 35258962 Change-Id: Ibbe5665083799a4262d3cfbb06f94f3e35e03748 Signed-off-by: Harsh Sahu --- drivers/video/msm/mdss/mdss_compat_utils.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c index 7159d91148645..ec08626ba7765 100644 --- a/drivers/video/msm/mdss/mdss_compat_utils.c +++ b/drivers/video/msm/mdss/mdss_compat_utils.c @@ -119,14 +119,18 @@ static unsigned int __do_compat_ioctl_nr(unsigned int cmd32) static void __copy_atomic_commit_struct(struct mdp_layer_commit *commit, struct mdp_layer_commit32 *commit32) { + unsigned int destSize = sizeof(commit->commit_v1.reserved); + unsigned int srcSize = sizeof(commit32->commit_v1.reserved); + unsigned int count = (destSize <= srcSize ? destSize : srcSize); commit->version = commit32->version; commit->commit_v1.flags = commit32->commit_v1.flags; commit->commit_v1.input_layer_cnt = commit32->commit_v1.input_layer_cnt; commit->commit_v1.left_roi = commit32->commit_v1.left_roi; commit->commit_v1.right_roi = commit32->commit_v1.right_roi; + memcpy(&commit->commit_v1.reserved, &commit32->commit_v1.reserved, - sizeof(commit32->commit_v1.reserved)); + count); } static struct mdp_input_layer32 *__create_layer_list32(