From 771254edea3486535453dbb76d090cd6bcf92af9 Mon Sep 17 00:00:00 2001 From: Senthil Kumar Rajagopal Date: Sat, 4 Mar 2017 12:05:44 +0530 Subject: msm: camera: isp: fix for out of bound access array There is no bound check in stream_cfg_cmd->num_streams, in functions msm_isp_check_stream_cfg_cmd and msm_isp_stats_update_cgc_override num_streams is used as the index for stream_cfg_cmd->stream_handle array which has a size of 15. Current code did not check the num_streams to make sure that did not exceed the array size CRs-Fixed: 2006015 Change-Id: I7f195c764a4e6c12e4f7c680bc3c9aa7b078e625 Signed-off-by: Senthil Kumar Rajagopal --- drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c index f40af6e..b38226a 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c @@ -832,6 +832,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev, struct msm_vfe_stats_stream *stream_info; int k; + if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) { + pr_err("%s invalid num_streams %d\n", __func__, + stream_cfg_cmd->num_streams); + return -EINVAL; + } + for (i = 0; i < stream_cfg_cmd->num_streams; i++) { idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]); @@ -961,6 +967,11 @@ static int msm_isp_check_stream_cfg_cmd(struct vfe_device *vfe_dev, int vfe_idx; uint32_t stats_idx[MSM_ISP_STATS_MAX]; + if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) { + pr_err("%s invalid num_streams %d\n", __func__, + stream_cfg_cmd->num_streams); + return -EINVAL; + } memset(stats_idx, 0, sizeof(stats_idx)); for (i = 0; i < stream_cfg_cmd->num_streams; i++) { idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]); -- cgit v1.1