mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
39 lines
1.5 KiB
Diff
39 lines
1.5 KiB
Diff
From 31e2a2f0f2f3615cefd4400c707709bbc3e26170 Mon Sep 17 00:00:00 2001
|
|
From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
|
|
Date: Wed, 15 Feb 2017 15:08:09 +0530
|
|
Subject: msm: isp: fix for potentitial array out of bound access
|
|
|
|
There is no bound check on dual_hw_ms_cmd->num_src,
|
|
which is coming from userspace
|
|
num_src is used as the index for the input_src array
|
|
which has a size of 5.
|
|
The current code did not check the num_src to make sure
|
|
that it never exceeds the input_src array size.
|
|
|
|
CRs-Fixed: 2006169
|
|
Change-Id: If5927e06e70cce4afb0ae9f2cdfec80f76f83771
|
|
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
|
|
---
|
|
drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
|
|
index d8227e7..b2b39e0 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
|
|
@@ -618,6 +618,11 @@ static int msm_isp_set_dual_HW_master_slave_mode(
|
|
}
|
|
ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id,
|
|
dual_hw_ms_cmd->num_src);
|
|
+ if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) {
|
|
+ pr_err("%s: Error! Invalid num_src %d\n", __func__,
|
|
+ dual_hw_ms_cmd->num_src);
|
|
+ return -EINVAL;
|
|
+ }
|
|
/* This for loop is for non-primary intf to be marked with Master/Slave
|
|
* in order for frame id sync. But their timestamp is not saved.
|
|
* So no sof_info resource is allocated */
|
|
--
|
|
cgit v1.1
|
|
|