From 884cff808385788fa620833c7e2160a4b98a21da Mon Sep 17 00:00:00 2001
From: raghavendra ambadas <rambad@codeaurora.org>
Date: Mon, 16 Mar 2015 18:10:35 +0530
Subject: msm_fb: display: validate input args of mdp4_argc_process_write_req

A bounds check has to be done for r/g/b stages variables
to avoid undetermined behaviour.

Change-Id: Ibdc96e79b36cf188d4b5c42d8e2d9ece8e9ace8a
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
---
 drivers/video/msm/mdp4_util.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/drivers/video/msm/mdp4_util.c b/drivers/video/msm/mdp4_util.c
index f8b7f2f..cfcccdb 100644
--- a/drivers/video/msm/mdp4_util.c
+++ b/drivers/video/msm/mdp4_util.c
@@ -2739,19 +2739,42 @@ static int mdp4_argc_process_write_req(uint32_t *offset,
 	struct mdp_ar_gc_lut_data r[MDP_AR_GC_MAX_STAGES];
 	struct mdp_ar_gc_lut_data g[MDP_AR_GC_MAX_STAGES];
 	struct mdp_ar_gc_lut_data b[MDP_AR_GC_MAX_STAGES];
+	uint8_t num_r_stages;
+	uint8_t num_g_stages;
+	uint8_t num_b_stages;
+
+	if (get_user(num_r_stages, &pgc_ptr->num_r_stages)) {
+		pr_err("%s failed: num_r_stages : Invalid arg\n", __func__);
+		return -EFAULT;
+	}
+
+	if (get_user(num_g_stages, &pgc_ptr->num_g_stages)) {
+		pr_err("%s failed: num_g_stages : Invalid arg\n", __func__);
+		return -EFAULT;
+	}
+
+	if (get_user(num_b_stages, &pgc_ptr->num_b_stages)) {
+		pr_err("%s failed: num_b_stages : Invalid arg\n", __func__);
+		return -EFAULT;
+	}
+
+	if ((!num_r_stages || num_r_stages > MDP_AR_GC_MAX_STAGES) ||
+		(!num_g_stages || num_g_stages > MDP_AR_GC_MAX_STAGES) ||
+		(!num_b_stages || num_b_stages > MDP_AR_GC_MAX_STAGES))
+		return -EINVAL;
 
 	ret = copy_from_user(&r[0], pgc_ptr->r_data,
-		pgc_ptr->num_r_stages * sizeof(struct mdp_ar_gc_lut_data));
+		num_r_stages * sizeof(struct mdp_ar_gc_lut_data));
 
 	if (!ret) {
 		ret = copy_from_user(&g[0],
 				pgc_ptr->g_data,
-				pgc_ptr->num_g_stages
+				num_g_stages
 				* sizeof(struct mdp_ar_gc_lut_data));
 		if (!ret)
 			ret = copy_from_user(&b[0],
 					pgc_ptr->b_data,
-					pgc_ptr->num_b_stages
+					num_b_stages
 					* sizeof(struct mdp_ar_gc_lut_data));
 	}
 
-- 
cgit v1.1