35 lines
1.3 KiB
Diff
35 lines
1.3 KiB
Diff
|
From 8b44a684139301fa31548e8120b7e6299965572a Mon Sep 17 00:00:00 2001
|
||
|
|
From: Alok Kediya <kediya@codeaurora.org>
|
||
|
|
Date: Thu, 2 Mar 2017 15:51:35 +0530
|
||
|
|
Subject: [PATCH] msm: camera: Bound check for num_of_stream.
|
||
|
|
|
||
|
|
- num of stream comes from userspace and used without
|
||
|
|
any bound check.It may result to overflow update_info.
|
||
|
|
|
||
|
|
CRs-Fixed: 2006829
|
||
|
|
|
||
|
|
Bug: 36232584
|
||
|
|
Change-Id: I8226e8f7081b28108dbed738ea4579e2051a85f2
|
||
|
|
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
|
||
|
|
---
|
||
|
|
drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 6 ++++++
|
||
|
|
1 file changed, 6 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||
|
|
index 43a2c77dcc8da..490ab13e4e607 100644
|
||
|
|
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||
|
|
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
|
||
|
|
@@ -817,6 +817,12 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
|
||
|
|
struct msm_vfe_axi_stream_cfg_update_info *update_info = NULL;
|
||
|
|
struct msm_isp_sw_framskip *sw_skip_info = NULL;
|
||
|
|
|
||
|
|
+ if (update_cmd->num_streams > MSM_ISP_STATS_MAX) {
|
||
|
|
+ pr_err("%s: Invalid num_streams %d\n",
|
||
|
|
+ __func__, update_cmd->num_streams);
|
||
|
|
+ return -EINVAL;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
/*validate request*/
|
||
|
|
for (i = 0; i < update_cmd->num_streams; i++) {
|
||
|
|
update_info = &update_cmd->update_info[i];
|