Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
aaa94329a5
DivestOS/Patches/Linux_CVEs/CVE-2017-8272/4.4/0001.patch
Tad 11c7037780 Switch to new CVE patchset
2017-11-07 17:32:46 -05:00

61 lines
2.2 KiB
Diff
Raw Blame History

From a8cb976e7c8f25191728b655e0b38328a6d7d81f Mon Sep 17 00:00:00 2001
From: Benjamin Chan <bkchan@codeaurora.org>
Date: Wed, 19 Apr 2017 16:24:40 -0400
Subject: msm: mdss: Add plane_count range check in mdss WFD
For any given output buffer to the MDSS WFD, it is necessary to check
the range of the plane_count against the MAX_PLANES definition, in order
to avoid any out of bound access.
CRs-Fixed: 2028702
Change-Id: I4f1497a3a2e4ca2d30fc268e68cfdacc0d8539ea
Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
---
drivers/video/fbdev/msm/mdss_mdp_layer.c | 6 ++++++
drivers/video/fbdev/msm/mdss_mdp_wfd.c | 8 +++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/msm/mdss_mdp_layer.c b/drivers/video/fbdev/msm/mdss_mdp_layer.c
index 09a3422..5e96a08 100644
--- a/drivers/video/fbdev/msm/mdss_mdp_layer.c
+++ b/drivers/video/fbdev/msm/mdss_mdp_layer.c
@@ -3035,6 +3035,12 @@ int mdss_mdp_layer_pre_commit_wfd(struct msm_fb_data_type *mfd,
wfd = mdp5_data->wfd;
output_layer = commit->output_layer;
+ if (output_layer->buffer.plane_count > MAX_PLANES) {
+ pr_err("Output buffer plane_count exceeds MAX_PLANES limit:%d\n",
+ output_layer->buffer.plane_count);
+ return -EINVAL;
+ }
+
data = mdss_mdp_wfd_add_data(wfd, output_layer);
if (IS_ERR_OR_NULL(data))
return PTR_ERR(data);
diff --git a/drivers/video/fbdev/msm/mdss_mdp_wfd.c b/drivers/video/fbdev/msm/mdss_mdp_wfd.c
index 71a07f6..7868dc0 100644
--- a/drivers/video/fbdev/msm/mdss_mdp_wfd.c
+++ b/drivers/video/fbdev/msm/mdss_mdp_wfd.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -322,6 +322,12 @@ int mdss_mdp_wb_import_data(struct device *device,
if (wfd_data->layer.flags & MDP_LAYER_SECURE_SESSION)
flags = MDP_SECURE_OVERLAY_SESSION;
+ if (buffer->plane_count > MAX_PLANES) {
+ pr_err("buffer plane_count exceeds MAX_PLANES limit:%d",
+ buffer->plane_count);
+ return -EINVAL;
+ }
+
memset(planes, 0, sizeof(planes));
for (i = 0; i < buffer->plane_count; i++) {
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink