msm: vidc: Ensure size of the data available before typecasting

				"hal_process_session_init_done: bad_pkt_size\n");

		return -E2BIG;

	}

	if (pkt->size < sizeof(struct hfi_msg_event_notify_packet) - sizeof(u32)

		+ sizeof(struct hfi_msg_release_buffer_ref_event_packet)) {

		dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n",

			__func__, pkt->size);

		return -E2BIG;

	}

	data = (struct hfi_msg_release_buffer_ref_event_packet *)

				pkt->rg_ext_event_data;

	struct hfi_msg_session_empty_buffer_done_packet *pkt = _pkt;

	struct msm_vidc_cb_data_done data_done = {0};

	struct hfi_picture_type *hfi_picture_type = NULL;

	u32 is_sync_frame;

	dprintk(VIDC_DBG, "RECEIVED: SESSION_ETB_DONE[%#x]\n", pkt->session_id);

	if (!pkt || pkt->size <

		sizeof(struct hfi_msg_session_empty_buffer_done_packet)) {

		dprintk(VIDC_ERR,

				"hal_process_session_etb_done: bad_pkt_size\n");

		return -E2BIG;

	}

		sizeof(struct hfi_msg_session_empty_buffer_done_packet))

		goto bad_packet_size;

	data_done.device_id = device_id;

	data_done.session_id = (void *)(uintptr_t)pkt->session_id;

	data_done.input_done.extra_data_buffer = pkt->extra_data_buffer;

	data_done.input_done.status =

		hfi_map_err_status(pkt->error_type);

	hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[0];

	if (hfi_picture_type->is_sync_frame) {

	is_sync_frame = pkt->rgData[0];

	if (is_sync_frame == 1) {

		if (pkt->size <

			sizeof(struct hfi_msg_session_empty_buffer_done_packet)

			+ sizeof(struct hfi_picture_type))

			goto bad_packet_size;

		hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[1];

		if (hfi_picture_type->picture_type)

			data_done.input_done.flags =

				hfi_picture_type->picture_type;

	info->response.data = data_done;

	return 0;

bad_packet_size:

	dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n",

		__func__, pkt ? pkt->size : 0);

	return -E2BIG;

}

static int hfi_process_session_ftb_done(

	cmd_done.size = sizeof(struct msm_vidc_cb_cmd_done);

	cmd_done.session_id = (void *)(uintptr_t)pkt->session_id;

	cmd_done.status = hfi_map_err_status(pkt->error_type);

	cmd_done.data.buffer_info =

			*(struct hal_buffer_info *)pkt->rg_buffer_info;

	cmd_done.data.buffer_info.buffer_addr = *pkt->rg_buffer_info;

	cmd_done.size = sizeof(struct hal_buffer_info);

	info->response_type = HAL_SESSION_RELEASE_BUFFER_DONE;

/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and

	u32 extra_data_buffer;

	u32 flags;

	struct hfi_frame_cr_stats_type ubwc_cr_stats;

	u32 rgData[0];

	u32 rgData[1];

};

struct hfi_msg_session_fill_buffer_done_compressed_packet {

};

struct hfi_picture_type {

	u32 is_sync_frame;

	u32 picture_type;

};

				"hal_process_session_init_done: bad_pkt_size\n");

		return -E2BIG;

	}

	if (pkt->size < sizeof(struct hfi_msg_event_notify_packet) - sizeof(u32)

		+ sizeof(struct hfi_msg_release_buffer_ref_event_packet)) {

		dprintk(VIDC_ERR,

			"hfi_msg_release_buffer_ref_event: bad_pkt_size\n");

		return -E2BIG;

	}

	data = (struct hfi_msg_release_buffer_ref_event_packet *)

				pkt->rg_ext_event_data;

	struct hfi_msg_session_empty_buffer_done_packet *pkt = _pkt;

	struct msm_vidc_cb_data_done data_done = {0};

	struct hfi_picture_type *hfi_picture_type = NULL;

	u32 is_sync_frame;

	dprintk(VIDC_DBG, "RECEIVED: SESSION_ETB_DONE[%#x]\n", pkt->session_id);

	if (!pkt || pkt->size <

		sizeof(struct hfi_msg_session_empty_buffer_done_packet)) {

		dprintk(VIDC_ERR,

				"hal_process_session_etb_done: bad_pkt_size\n");

		return -E2BIG;

	}

		sizeof(struct hfi_msg_session_empty_buffer_done_packet))

		goto bad_packet_size;

	data_done.device_id = device_id;

	data_done.session_id = (void *)(uintptr_t)pkt->session_id;

		(ion_phys_addr_t)pkt->extra_data_buffer;

	data_done.input_done.status =

		hfi_map_err_status(pkt->error_type);

	hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[0];

	if (hfi_picture_type->is_sync_frame) {

	is_sync_frame = pkt->rgData[0];

	if (is_sync_frame == 1) {

		if (pkt->size <

			sizeof(struct hfi_msg_session_empty_buffer_done_packet)

			+ sizeof(struct hfi_picture_type))

			goto bad_packet_size;

		hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[1];

		if (hfi_picture_type->picture_type)

			data_done.input_done.flags =

				hfi_picture_type->picture_type;

	};

	return 0;

bad_packet_size:

	dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n",

		__func__, pkt ? pkt->size : 0);

	return -E2BIG;

}

static int hfi_process_session_ftb_done(

	cmd_done.session_id = (void *)(uintptr_t)pkt->session_id;

	cmd_done.status = hfi_map_err_status(pkt->error_type);

	if (pkt->rg_buffer_info) {

		cmd_done.data.buffer_info =

			*(struct hal_buffer_info *)pkt->rg_buffer_info;

		cmd_done.data.buffer_info.buffer_addr = *pkt->rg_buffer_info;

		cmd_done.size = sizeof(struct hal_buffer_info);

	} else {

		dprintk(VIDC_ERR, "invalid payload in rel_buff_done\n");

/* Copyright (c) 2012-2016, 2018 The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2016, 2018-2019 The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and

	u32 input_tag;

	u32 packet_buffer;

	u32 extra_data_buffer;

	u32 rgData[0];

	u32 rgData[1];

};

struct hfi_msg_session_fill_buffer_done_compressed_packet {