mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-20 04:11:32 -05:00
103 lines
3.0 KiB
Diff
103 lines
3.0 KiB
Diff
From d793c6d91ecba2a1fd206ad47a4fd408d290addf Mon Sep 17 00:00:00 2001
|
|
From: Trilokesh Rangam <tranga@codeaurora.org>
|
|
Date: Wed, 23 Nov 2016 09:41:36 +0530
|
|
Subject: msm-camera: Addressing possible overflow conditions
|
|
|
|
Changes to address possible integer overflow and incorrect
|
|
array indexing conditions.
|
|
|
|
Change-Id: Ib134320cd6f7b34d7a10572ec347ec12127049a9
|
|
Signed-off-by: Trilokesh Rangam <tranga@codeaurora.org>
|
|
---
|
|
drivers/media/video/msm/io/msm_camera_io_util.c | 6 +++++
|
|
drivers/media/video/msm/msm_mctl_pp.c | 36 ++++++++++++++++++++++---
|
|
2 files changed, 38 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/drivers/media/video/msm/io/msm_camera_io_util.c b/drivers/media/video/msm/io/msm_camera_io_util.c
|
|
index cede05d..1d2a70c 100644
|
|
--- a/drivers/media/video/msm/io/msm_camera_io_util.c
|
|
+++ b/drivers/media/video/msm/io/msm_camera_io_util.c
|
|
@@ -181,6 +181,12 @@ int msm_camera_config_vreg(struct device *dev, struct camera_vreg_t *cam_vreg,
|
|
pr_err("%s:%d vreg sequence invalid\n", __func__, __LINE__);
|
|
return -EINVAL;
|
|
}
|
|
+
|
|
+ if (cam_vreg == NULL) {
|
|
+ pr_err("%s:%d cam_vreg sequence invalid\n", __func__, __LINE__);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
if (!num_vreg_seq)
|
|
num_vreg_seq = num_vreg;
|
|
|
|
diff --git a/drivers/media/video/msm/msm_mctl_pp.c b/drivers/media/video/msm/msm_mctl_pp.c
|
|
index 8f4f004..61321bf 100644
|
|
--- a/drivers/media/video/msm/msm_mctl_pp.c
|
|
+++ b/drivers/media/video/msm/msm_mctl_pp.c
|
|
@@ -36,6 +36,8 @@
|
|
#define D(fmt, args...) do {} while (0)
|
|
#endif
|
|
|
|
+#define UINT32_MAX (4294967295U)
|
|
+
|
|
static int msm_mctl_pp_buf_divert(
|
|
struct msm_cam_media_controller *pmctl,
|
|
struct msm_cam_v4l2_dev_inst *pcam_inst,
|
|
@@ -668,11 +670,24 @@ int msm_mctl_pp_done(
|
|
dirty = 1;
|
|
}
|
|
} else {
|
|
- if (frame.num_planes > 1)
|
|
+ if (frame.num_planes > 1) {
|
|
+ if (frame.mp[0].phy_addr >
|
|
+ (UINT32_MAX - frame.mp[0].data_offset)) {
|
|
+ pr_err("%s:%d Invalid data offset\n", __func__, __LINE__);
|
|
+ return -EINVAL;
|
|
+
|
|
+ }
|
|
buf.ch_paddr[0] = frame.mp[0].phy_addr +
|
|
frame.mp[0].data_offset;
|
|
- else
|
|
+ } else {
|
|
+ if (frame.sp.phy_addr >
|
|
+ (UINT32_MAX - frame.sp.y_off)) {
|
|
+ pr_err("%s:%d Invalid Y offset\n", __func__, __LINE__);
|
|
+ return -EINVAL;
|
|
+
|
|
+ }
|
|
buf.ch_paddr[0] = frame.sp.phy_addr + frame.sp.y_off;
|
|
+ }
|
|
}
|
|
spin_unlock_irqrestore(&p_mctl->pp_info.lock, flags);
|
|
|
|
@@ -713,11 +728,24 @@ int msm_mctl_pp_divert_done(
|
|
buf_handle.image_mode = frame.image_type;
|
|
}
|
|
|
|
- if (frame.num_planes > 1)
|
|
+ if (frame.num_planes > 1) {
|
|
+ if (frame.mp[0].phy_addr >
|
|
+ (UINT32_MAX - frame.mp[0].data_offset)) {
|
|
+ pr_err("%s:%d Invalid data offset\n", __func__, __LINE__);
|
|
+ return -EINVAL;
|
|
+
|
|
+ }
|
|
buf.ch_paddr[0] = frame.mp[0].phy_addr +
|
|
frame.mp[0].data_offset;
|
|
- else
|
|
+ } else {
|
|
+ if (frame.sp.phy_addr >
|
|
+ (UINT32_MAX - frame.sp.y_off)) {
|
|
+ pr_err("%s:%d Invalid Y offset\n", __func__, __LINE__);
|
|
+ return -EINVAL;
|
|
+
|
|
+ }
|
|
buf.ch_paddr[0] = frame.sp.phy_addr + frame.sp.y_off;
|
|
+ }
|
|
|
|
spin_unlock_irqrestore(&p_mctl->pp_info.lock, flags);
|
|
|
|
--
|
|
cgit v1.1
|
|
|