Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 21120555 authored by Junzhe Zou's avatar Junzhe Zou Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: isp: check the length of in port resource 



Free the IFE resource if the buffer size is not enough.

Change-Id: If7e358675eb6ce70a9ae9baacb279b3d17b71669
Signed-off-by: default avatarJunzhe Zou <jnzhezou@codeaurora.org>
Signed-off-by: default avatarVishalsingh Hajeri <vhajeri@codeaurora.org>
parent 5ea1ec83

drivers/media/platform/msm/camera/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c

+19 −0
Original line number Diff line number Diff line
@@ -1403,6 +1403,7 @@ static int cam_ife_mgr_acquire_hw(void *hw_mgr_priv, 
	uint32_t                           num_rdi_port_per_in = 0;

	uint32_t                           total_pix_port = 0;

	uint32_t                           total_rdi_port = 0;

	uint32_t                           in_port_length = 0;



	CAM_DBG(CAM_ISP, "Enter...");
@@ -1463,9 +1464,27 @@ static int cam_ife_mgr_acquire_hw(void *hw_mgr_priv, 
			isp_resource[i].res_hdl,

			isp_resource[i].length);



		in_port_length = sizeof(struct cam_isp_in_port_info);



		if (in_port_length > isp_resource[i].length) {

			CAM_ERR(CAM_ISP, "buffer size is not enough");

			rc = -EINVAL;

			goto free_res;

		}



		in_port = memdup_user((void __user *)isp_resource[i].res_hdl,

			isp_resource[i].length);

		if (!IS_ERR(in_port)) {

			in_port_length = sizeof(struct cam_isp_in_port_info) +

				(in_port->num_out_res - 1) *

				sizeof(struct cam_isp_out_port_info);

			if (in_port_length > isp_resource[i].length) {

				CAM_ERR(CAM_ISP, "buffer size is not enough");

				rc = -EINVAL;

				kfree(in_port);

				goto free_res;

			}



			rc = cam_ife_mgr_acquire_hw_for_ctx(ife_ctx, in_port,

				&num_pix_port_per_in, &num_rdi_port_per_in);

			total_pix_port += num_pix_port_per_in;