Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
fc857876dc
DivestOS/Patches/Linux_CVEs/CVE-2017-8251/4.4/0002.patch
Tad 6ce51b2775 More patches
2017-11-07 21:38:42 -05:00

53 lines
2.0 KiB
Diff
Raw Blame History

From 771254edea3486535453dbb76d090cd6bcf92af9 Mon Sep 17 00:00:00 2001
From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
Date: Sat, 4 Mar 2017 12:05:44 +0530
Subject: msm: camera: isp: fix for out of bound access array
There is no bound check in stream_cfg_cmd->num_streams,
in functions msm_isp_check_stream_cfg_cmd and
msm_isp_stats_update_cgc_override num_streams is used as
the index for stream_cfg_cmd->stream_handle array which
has a size of 15. Current code did not check the num_streams
to make sure that did not exceed the array size
CRs-Fixed: 2006015
Change-Id: I7f195c764a4e6c12e4f7c680bc3c9aa7b078e625
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
index f40af6e..b38226a 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
@@ -832,6 +832,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev,
struct msm_vfe_stats_stream *stream_info;
int k;
+ if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
+ pr_err("%s invalid num_streams %d\n", __func__,
+ stream_cfg_cmd->num_streams);
+ return -EINVAL;
+ }
+
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
@@ -961,6 +967,11 @@ static int msm_isp_check_stream_cfg_cmd(struct vfe_device *vfe_dev,
int vfe_idx;
uint32_t stats_idx[MSM_ISP_STATS_MAX];
+ if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
+ pr_err("%s invalid num_streams %d\n", __func__,
+ stream_cfg_cmd->num_streams);
+ return -EINVAL;
+ }
memset(stats_idx, 0, sizeof(stats_idx));
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink