mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-01 19:06:25 -05:00
160 lines
5.8 KiB
Diff
160 lines
5.8 KiB
Diff
From d4d4d1dd626b21e68e78395bab3382c1eb04877f Mon Sep 17 00:00:00 2001
|
|
From: Petar Sivenov <psiven@codeaurora.org>
|
|
Date: Tue, 10 Feb 2015 13:46:18 +0200
|
|
Subject: msm:camera:isp: fix array index bound checks
|
|
|
|
This change fixes several incorrect or missing array index bound checks.
|
|
|
|
Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33
|
|
Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
|
|
---
|
|
.../platform/msm/camera_v2/isp/msm_isp_axi_util.c | 56 ++++++++++++++--------
|
|
1 file changed, 36 insertions(+), 20 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
|
|
index e3be614..bc993cd 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
|
|
@@ -368,8 +368,8 @@ int msm_isp_axi_check_stream_state(
|
|
return -EINVAL;
|
|
|
|
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
|
|
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
|
|
- > MAX_NUM_STREAM) {
|
|
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
|
|
+ MAX_NUM_STREAM) {
|
|
return -EINVAL;
|
|
}
|
|
stream_info = &axi_data->stream_info[
|
|
@@ -676,8 +676,10 @@ int msm_isp_request_axi_stream(struct vfe_device *vfe_dev, void *arg)
|
|
&vfe_dev->axi_data, stream_cfg_cmd);
|
|
if (rc) {
|
|
pr_err("%s: Request validation failed\n", __func__);
|
|
- msm_isp_axi_destroy_stream(&vfe_dev->axi_data,
|
|
- HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle));
|
|
+ if (HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle) <
|
|
+ MAX_NUM_STREAM)
|
|
+ msm_isp_axi_destroy_stream(&vfe_dev->axi_data,
|
|
+ HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle));
|
|
return rc;
|
|
}
|
|
stream_info = &vfe_dev->axi_data.
|
|
@@ -748,11 +750,17 @@ int msm_isp_release_axi_stream(struct vfe_device *vfe_dev, void *arg)
|
|
int rc = 0, i;
|
|
struct msm_vfe_axi_stream_release_cmd *stream_release_cmd = arg;
|
|
struct msm_vfe_axi_shared_data *axi_data = &vfe_dev->axi_data;
|
|
- struct msm_vfe_axi_stream *stream_info =
|
|
- &axi_data->stream_info[
|
|
- HANDLE_TO_IDX(stream_release_cmd->stream_handle)];
|
|
+ struct msm_vfe_axi_stream *stream_info;
|
|
struct msm_vfe_axi_stream_cfg_cmd stream_cfg;
|
|
|
|
+
|
|
+ if (HANDLE_TO_IDX(stream_release_cmd->stream_handle) >=
|
|
+ MAX_NUM_STREAM) {
|
|
+ pr_err("%s: Invalid stream handle\n", __func__);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+ stream_info = &axi_data->stream_info[
|
|
+ HANDLE_TO_IDX(stream_release_cmd->stream_handle)];
|
|
if (stream_info->state == AVALIABLE) {
|
|
pr_err("%s: Stream already released\n", __func__);
|
|
return -EINVAL;
|
|
@@ -1069,6 +1077,11 @@ static void msm_isp_process_done_buf(struct vfe_device *vfe_dev,
|
|
uint8_t drop_frame = 0;
|
|
memset(&buf_event, 0, sizeof(buf_event));
|
|
|
|
+ if (stream_idx >= MAX_NUM_STREAM) {
|
|
+ pr_err("%s: Invalid stream_idx", __func__);
|
|
+ return;
|
|
+ }
|
|
+
|
|
frame_id = vfe_dev->axi_data.
|
|
src_info[SRC_TO_INTF(stream_info->stream_src)].frame_id;
|
|
|
|
@@ -1235,8 +1248,8 @@ static void msm_isp_update_camif_output_count(
|
|
return;
|
|
|
|
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
|
|
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
|
|
- > MAX_NUM_STREAM) {
|
|
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
|
|
+ MAX_NUM_STREAM) {
|
|
return;
|
|
}
|
|
stream_info =
|
|
@@ -1535,8 +1548,8 @@ static int msm_isp_axi_update_cgc_override(struct vfe_device *vfe_dev,
|
|
return -EINVAL;
|
|
|
|
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
|
|
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
|
|
- > MAX_NUM_STREAM) {
|
|
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
|
|
+ MAX_NUM_STREAM) {
|
|
return -EINVAL;
|
|
}
|
|
stream_info = &axi_data->stream_info[
|
|
@@ -1567,8 +1580,8 @@ static int msm_isp_start_axi_stream(struct vfe_device *vfe_dev,
|
|
return -EINVAL;
|
|
|
|
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
|
|
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
|
|
- > MAX_NUM_STREAM) {
|
|
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
|
|
+ MAX_NUM_STREAM) {
|
|
return -EINVAL;
|
|
}
|
|
stream_info = &axi_data->stream_info[
|
|
@@ -1651,8 +1664,8 @@ static int msm_isp_stop_axi_stream(struct vfe_device *vfe_dev,
|
|
return -EINVAL;
|
|
|
|
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
|
|
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
|
|
- > MAX_NUM_STREAM) {
|
|
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
|
|
+ MAX_NUM_STREAM) {
|
|
return -EINVAL;
|
|
}
|
|
stream_info = &axi_data->stream_info[
|
|
@@ -1916,8 +1929,8 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
|
|
for (i = 0; i < update_cmd->num_streams; i++) {
|
|
update_info = &update_cmd->update_info[i];
|
|
/*check array reference bounds*/
|
|
- if (HANDLE_TO_IDX(update_info->stream_handle)
|
|
- > MAX_NUM_STREAM) {
|
|
+ if (HANDLE_TO_IDX(update_info->stream_handle) >=
|
|
+ MAX_NUM_STREAM) {
|
|
return -EINVAL;
|
|
}
|
|
stream_info = &axi_data->stream_info[
|
|
@@ -2082,7 +2095,9 @@ void msm_isp_process_axi_irq(struct vfe_device *vfe_dev,
|
|
comp_info = &axi_data->composite_info[i];
|
|
wm_mask &= ~(comp_info->stream_composite_mask);
|
|
if (comp_mask & (1 << i)) {
|
|
- if (!comp_info->stream_handle) {
|
|
+ stream_idx = HANDLE_TO_IDX(comp_info->stream_handle);
|
|
+ if ((!comp_info->stream_handle) ||
|
|
+ (stream_idx >= MAX_NUM_STREAM)) {
|
|
pr_err("%s: Invalid handle for composite irq\n",
|
|
__func__);
|
|
continue;
|
|
@@ -2118,12 +2133,13 @@ void msm_isp_process_axi_irq(struct vfe_device *vfe_dev,
|
|
|
|
for (i = 0; i < axi_data->hw_info->num_wm; i++) {
|
|
if (wm_mask & (1 << i)) {
|
|
- if (!axi_data->free_wm[i]) {
|
|
+ stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]);
|
|
+ if ((!axi_data->free_wm[i]) ||
|
|
+ (stream_idx >= MAX_NUM_STREAM)) {
|
|
pr_err("%s: Invalid handle for wm irq\n",
|
|
__func__);
|
|
continue;
|
|
}
|
|
- stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]);
|
|
stream_info = &axi_data->stream_info[stream_idx];
|
|
ISP_DBG("%s: stream id %x frame id: 0x%x\n", __func__,
|
|
stream_info->stream_id, stream_info->frame_id);
|
|
--
|
|
cgit v1.1
|
|
|