Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ce34a06e authored by qctecmdr's avatar qctecmdr Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: vidc: Ensure size of the data available before typecasting"

parents 760ff0ac 3be0ff39

msm/vidc/hfi_response_handler.c

+21 −9
Original line number Diff line number Diff line
@@ -334,6 +334,12 @@ static int hfi_process_evt_release_buffer_ref(u32 device_id, 
		dprintk(VIDC_ERR, "%s: bad_pkt_size\n", __func__);

		return -E2BIG;

	}

	if (pkt->size < sizeof(struct hfi_msg_event_notify_packet) - sizeof(u32)

		+ sizeof(struct hfi_msg_release_buffer_ref_event_packet)) {

		dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n",

			__func__, pkt->size);

		return -E2BIG;

	}



	data = (struct hfi_msg_release_buffer_ref_event_packet *)

				pkt->rg_ext_event_data;
@@ -762,15 +768,13 @@ static int hfi_process_session_etb_done(u32 device_id, 
	struct hfi_msg_session_empty_buffer_done_packet *pkt = _pkt;

	struct msm_vidc_cb_data_done data_done = {0};

	struct hfi_picture_type *hfi_picture_type = NULL;

	u32 is_sync_frame;



	dprintk(VIDC_LOW, "RECEIVED: SESSION_ETB_DONE[%#x]\n", pkt->session_id);



	if (!pkt || pkt->size <

		sizeof(struct hfi_msg_session_empty_buffer_done_packet)) {

		dprintk(VIDC_ERR,

				"hal_process_session_etb_done: bad_pkt_size\n");

		return -E2BIG;

	}

		sizeof(struct hfi_msg_session_empty_buffer_done_packet))

		goto bad_packet_size;



	data_done.device_id = device_id;

	data_done.session_id = (void *)(uintptr_t)pkt->session_id;
@@ -790,8 +794,13 @@ static int hfi_process_session_etb_done(u32 device_id, 
	data_done.input_done.extra_data_buffer = pkt->extra_data_buffer;

	data_done.input_done.status =

		hfi_map_err_status(pkt->error_type);

	hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[0];

	if (hfi_picture_type->is_sync_frame) {

	is_sync_frame = pkt->rgData[0];

	if (is_sync_frame) {

		if (pkt->size <

			sizeof(struct hfi_msg_session_empty_buffer_done_packet)

			+ sizeof(struct hfi_picture_type))

			goto bad_packet_size;

		hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[1];

		if (hfi_picture_type->picture_type)

			data_done.input_done.flags =

				hfi_picture_type->picture_type;
@@ -808,6 +817,10 @@ static int hfi_process_session_etb_done(u32 device_id, 
	info->response.data = data_done;



	return 0;

bad_packet_size:

	dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n",

		__func__, pkt ? pkt->size : 0);

	return -E2BIG;

}



static int hfi_process_session_ftb_done(
@@ -1038,8 +1051,7 @@ static int hfi_process_session_rel_buf_done(u32 device_id, 
	cmd_done.size = sizeof(struct msm_vidc_cb_cmd_done);

	cmd_done.session_id = (void *)(uintptr_t)pkt->session_id;

	cmd_done.status = hfi_map_err_status(pkt->error_type);

	cmd_done.data.buffer_info =

		*(struct hal_buffer_info *)pkt->rg_buffer_info;

	cmd_done.data.buffer_info.buffer_addr = *pkt->rg_buffer_info;

	cmd_done.size = sizeof(struct hal_buffer_info);



	info->response_type = HAL_SESSION_RELEASE_BUFFER_DONE;

msm/vidc/vidc_hfi.h

+1 −1
Original line number Diff line number Diff line
@@ -589,7 +589,7 @@ struct hfi_msg_session_empty_buffer_done_packet { 
	u32 extra_data_buffer;

	u32 flags;

	struct hfi_frame_cr_stats_type ubwc_cr_stats;

	u32 rgData[0];

	u32 rgData[1];

};



struct hfi_msg_session_fill_buffer_done_compressed_packet {

msm/vidc/vidc_hfi_helper.h

+0 −1
Original line number Diff line number Diff line
@@ -659,7 +659,6 @@ struct hfi_bit_depth { 
};



struct hfi_picture_type {

	u32 is_sync_frame;

	u32 picture_type;

};