From 8b44a684139301fa31548e8120b7e6299965572a Mon Sep 17 00:00:00 2001 From: Alok Kediya Date: Thu, 2 Mar 2017 15:51:35 +0530 Subject: [PATCH] msm: camera: Bound check for num_of_stream. - num of stream comes from userspace and used without any bound check.It may result to overflow update_info. CRs-Fixed: 2006829 Bug: 36232584 Change-Id: I8226e8f7081b28108dbed738ea4579e2051a85f2 Signed-off-by: Alok Kediya --- drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c index 43a2c77dcc8da..490ab13e4e607 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c @@ -817,6 +817,12 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg) struct msm_vfe_axi_stream_cfg_update_info *update_info = NULL; struct msm_isp_sw_framskip *sw_skip_info = NULL; + if (update_cmd->num_streams > MSM_ISP_STATS_MAX) { + pr_err("%s: Invalid num_streams %d\n", + __func__, update_cmd->num_streams); + return -EINVAL; + } + /*validate request*/ for (i = 0; i < update_cmd->num_streams; i++) { update_info = &update_cmd->update_info[i];