DivestOS/Patches/Linux_CVEs/CVE-2014-9778/0.patch

49 lines
1.6 KiB
Diff

From af85054aa6a1bcd38be2354921f2f80aef1440e5 Mon Sep 17 00:00:00 2001
From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
Date: Fri, 1 Nov 2013 21:06:37 +0530
Subject: msm: vidc: Validate userspace buffer count
Makesure the number of buffers count is less than
the maximum limit to avoid structure overflow errors.
Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31
CRs-fixed: 563694
Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
---
drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
include/media/msm/vidc_init.h | 1 +
2 files changed, 7 insertions(+)
diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
index a843889..b45100f 100644
--- a/drivers/video/msm/vidc/common/dec/vdec.c
+++ b/drivers/video/msm/vidc/common/dec/vdec.c
@@ -1201,6 +1201,12 @@ static u32 vid_dec_set_h264_mv_buffers(struct video_client_ctx *client_ctx,
vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd;
vcd_h264_mv_buffer->offset = mv_data->offset;
+ if (mv_data->count > MAX_MV_BUFFERS) {
+ ERR("MV buffers maximum count reached, count = %d",
+ mv_data->count);
+ return false;
+ }
+
if (!vcd_get_ion_status()) {
if (get_pmem_file(vcd_h264_mv_buffer->pmem_fd,
(unsigned long *) (&(vcd_h264_mv_buffer->
diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h
index c35f770..5df0c3e 100644
--- a/include/media/msm/vidc_init.h
+++ b/include/media/msm/vidc_init.h
@@ -20,6 +20,7 @@
#define VIDC_MAX_NUM_CLIENTS 4
#define MAX_VIDEO_NUM_OF_BUFF 100
#define MAX_META_BUFFERS 32
+#define MAX_MV_BUFFERS 32
enum buffer_dir {
BUFFER_TYPE_INPUT,
--
cgit v1.1