Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5fcc58b1 authored by Prakasha Nayak's avatar Prakasha Nayak
Browse files

msm: camera: icp: Prevent out of bound access in acquire 



In ICP during acquire, no of output resource can change
from usespace. Change in no of output resource after the
memory allocation may result in out of bound access.
This can be avoided by checking value of no of output
resource during the allocation to the value copied from
userspace after allocation.

Change-Id: Ife0a96bd61fad0ad0481af01734fc4cff68baf5a
Signed-off-by: default avatarPrakasha Nayak <pnayak@codeaurora.org>
parent ed85a423

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c

+7 −0
Original line number Diff line number Diff line
@@ -4690,6 +4690,13 @@ static int cam_icp_get_acquire_info(struct cam_icp_hw_mgr *hw_mgr, 
		return -EFAULT;

	}



	/* To make sure num_out_res is same as allocated */

	if (ctx_data->icp_dev_acquire_info->num_out_res !=

		icp_dev_acquire_info.num_out_res) {

		CAM_ERR(CAM_ICP, "num_out_res got changed");

		return -EFAULT;

	}



	CAM_DBG(CAM_ICP, "%x %x %x %x %x %x %x",

		ctx_data->icp_dev_acquire_info->dev_type,

		ctx_data->icp_dev_acquire_info->in_res.format,