Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f8ed842b authored by Chinmay Sawarkar's avatar Chinmay Sawarkar
Browse files

msm: vidc: Fix use after free bug in set_output_buffers 



When set_buffers fails, binfo is freed and again accessed
while freeing smem memory.

CRs-Fixed: 2118860
Change-Id: Ifdd683f907862665e34d6d39d5a8634984804c01
Signed-off-by: default avatarChinmay Sawarkar <chinmays@codeaurora.org>
parent 51c75b62

drivers/media/platform/msm/vidc/msm_vidc_common.c

+3 −3
Original line number Diff line number Diff line
@@ -3384,7 +3384,7 @@ static int set_output_buffers(struct msm_vidc_inst *inst, 
	enum hal_buffer buffer_type)

{

	int rc = 0;

	struct internal_buf *binfo;

	struct internal_buf *binfo = NULL;

	u32 smem_flags = 0, buffer_size;

	struct hal_buffer_requirements *output_buf, *extradata_buf;

	int i;
@@ -3493,10 +3493,10 @@ static int set_output_buffers(struct msm_vidc_inst *inst, 
	}

	return rc;

fail_set_buffers:

	kfree(binfo);

fail_kzalloc:

	msm_comm_smem_free(inst, &binfo->smem);

err_no_mem:

	kfree(binfo);

fail_kzalloc:

	return rc;

}