Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 15abc70d authored by Karthik Anantha Ram's avatar Karthik Anantha Ram Committed by Karthik Anantha Ram
Browse files

msm: camera: Modify size field in icp handles 



Modify the size parameter being sent as part of the
abort and destroy handle in icp hardware manager. An
extra 4 bytes more than the accesible data to read is
being sent in the size field leading to an overread.

Change-Id: I05bcbeb7899506db615a6fb481a3967614a03cb3
Signed-off-by: default avatarKarthik Anantha Ram <kartanan@codeaurora.org>
parent 3cc03bb1

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c

+2 −6
Original line number Diff line number Diff line
@@ -568,9 +568,7 @@ static int cam_icp_mgr_abort_handle( 
		return -ENOMEM;



	abort_cmd.size =

		sizeof(struct hfi_cmd_ipebps_async) +

		sizeof(struct hfi_cmd_abort_destroy) -

		sizeof(abort_cmd.payload.direct);

		sizeof(struct hfi_cmd_ipebps_async);

	abort_cmd.pkt_type = HFI_CMD_IPEBPS_ASYNC_COMMAND_DIRECT;

	if (ctx_data->icp_dev_acquire_info->dev_type == CAM_ICP_RES_TYPE_BPS)

		abort_cmd.opcode = HFI_IPEBPS_CMD_OPCODE_BPS_ABORT;
@@ -622,9 +620,7 @@ static int cam_icp_mgr_destroy_handle( 
		return -ENOMEM;



	destroy_cmd.size =

		sizeof(struct hfi_cmd_ipebps_async) +

		sizeof(struct ipe_bps_destroy) -

		sizeof(destroy_cmd.payload.direct);

		sizeof(struct hfi_cmd_ipebps_async);

	destroy_cmd.pkt_type = HFI_CMD_IPEBPS_ASYNC_COMMAND_DIRECT;

	if (ctx_data->icp_dev_acquire_info->dev_type == CAM_ICP_RES_TYPE_BPS)

		destroy_cmd.opcode = HFI_IPEBPS_CMD_OPCODE_BPS_DESTROY;