mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
61 lines
2.3 KiB
Diff
61 lines
2.3 KiB
Diff
From 64b7bc25e019dd07e8042e0a6ec6dc6a1dd0c385 Mon Sep 17 00:00:00 2001
|
|
From: Pratap Nirujogi <pratapn@codeaurora.org>
|
|
Date: Mon, 20 Feb 2017 17:29:33 +0530
|
|
Subject: msm: camera: cpp: Fixing Heap overflow in output buffer
|
|
|
|
Issue:
|
|
Missing bound check when writing into the output array
|
|
buffer, which can lead to out-of-bound heap write.
|
|
|
|
Fix:
|
|
Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT
|
|
macro and size check to the place where the array is
|
|
accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT.
|
|
Caller will return -EINVAL for '0'.
|
|
|
|
Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f
|
|
CRs-Fixed: 2004036
|
|
Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
|
|
---
|
|
drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 2 ++
|
|
include/uapi/media/msmb_pproc.h | 3 ++-
|
|
2 files changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
|
index e35a744..19d9bbb 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
|
@@ -2045,6 +2045,8 @@ static int msm_cpp_check_buf_type(struct msm_buf_mngr_info *buff_mgr_info,
|
|
/* More or equal bufs as Input buffer */
|
|
num_output_bufs = new_frame->batch_info.batch_size;
|
|
}
|
|
+ if (num_output_bufs > MSM_OUTPUT_BUF_CNT)
|
|
+ return 0;
|
|
for (i = 0; i < num_output_bufs; i++) {
|
|
new_frame->output_buffer_info[i].index =
|
|
buff_mgr_info->user_buf.buf_idx[i];
|
|
diff --git a/include/uapi/media/msmb_pproc.h b/include/uapi/media/msmb_pproc.h
|
|
index b65669b..8f45457 100644
|
|
--- a/include/uapi/media/msmb_pproc.h
|
|
+++ b/include/uapi/media/msmb_pproc.h
|
|
@@ -16,6 +16,7 @@
|
|
#define MSM_CPP_MAX_FRAME_LENGTH 4096
|
|
#define MSM_CPP_MAX_FW_NAME_LEN 32
|
|
#define MAX_FREQ_TBL 10
|
|
+#define MSM_OUTPUT_BUF_CNT 8
|
|
|
|
enum msm_cpp_frame_type {
|
|
MSM_CPP_OFFLINE_FRAME,
|
|
@@ -76,7 +77,7 @@ struct msm_cpp_frame_info_t {
|
|
uint32_t feature_mask;
|
|
uint8_t we_disable;
|
|
struct msm_cpp_buffer_info_t input_buffer_info;
|
|
- struct msm_cpp_buffer_info_t output_buffer_info[8];
|
|
+ struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT];
|
|
struct msm_cpp_buffer_info_t duplicate_buffer_info;
|
|
struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2];
|
|
uint32_t reserved;
|
|
--
|
|
cgit v1.1
|
|
|