Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a5b2f2c6 authored by Vishalsingh Hajeri's avatar Vishalsingh Hajeri Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: Add bounds checking for output resources 



num_out_res which is part of acquire arguments from UMD
is not validated. Compute buffer size only if
num_out_res is within the valid range.

Change-Id: I9cc577df8f92b66f7f721977575d58536e4c1f2f
Signed-off-by: default avatarVishalsingh Hajeri <vhajeri@codeaurora.org>
parent 88aefb67

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c

+3 −2
Original line number Diff line number Diff line
@@ -4487,8 +4487,9 @@ static int cam_icp_get_acquire_info(struct cam_icp_hw_mgr *hw_mgr, 
		return -EINVAL;

	}



	if (icp_dev_acquire_info.num_out_res > ICP_MAX_OUTPUT_SUPPORTED) {

		CAM_ERR(CAM_ICP, "num of out resources exceeding : %u",

	if ((icp_dev_acquire_info.num_out_res > ICP_MAX_OUTPUT_SUPPORTED) ||

		(icp_dev_acquire_info.num_out_res <= 0)) {

		CAM_ERR(CAM_ICP, "Invalid num of out resources: %u",

			icp_dev_acquire_info.num_out_res);

		return -EINVAL;

	}

drivers/media/platform/msm/camera/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c

+17 −7
Original line number Diff line number Diff line
@@ -1691,6 +1691,14 @@ static int cam_ife_mgr_check_and_update_fe( 
		((uint8_t *)&acquire_hw_info->data +

		 acquire_hw_info->input_info_offset);

	for (i = 0; i < acquire_hw_info->num_inputs; i++) {



		if ((in_port->num_out_res > CAM_IFE_HW_OUT_RES_MAX) ||

			(in_port->num_out_res <= 0)) {

			CAM_ERR(CAM_ISP, "Invalid num output res %u",

				in_port->num_out_res);

			return -EINVAL;

		}



		in_port_length = sizeof(struct cam_isp_in_port_info) +

			(in_port->num_out_res - 1) *

			sizeof(struct cam_isp_out_port_info);
@@ -1927,7 +1935,6 @@ static int cam_ife_mgr_acquire_hw(void *hw_mgr_priv, void *acquire_hw_args) 
	}

	cdm_acquire.base_array_cnt = j;





	cdm_acquire.id = CAM_CDM_VIRTUAL;

	cdm_acquire.cam_cdm_callback = cam_ife_cam_cdm_callback;

	rc = cam_cdm_acquire(&cdm_acquire);
@@ -1943,21 +1950,23 @@ static int cam_ife_mgr_acquire_hw(void *hw_mgr_priv, void *acquire_hw_args) 


	acquire_hw_info =

		(struct cam_isp_acquire_hw_info *)acquire_args->acquire_info;

	in_port = (struct cam_isp_in_port_info *)

		((uint8_t *)&acquire_hw_info->data +

		 acquire_hw_info->input_info_offset);



	rc = cam_ife_mgr_check_and_update_fe(ife_ctx, acquire_hw_info);

	if (rc) {

		CAM_ERR(CAM_ISP, "buffer size is not enough");

		goto free_ctx;

		goto free_cdm;

	}



	in_port = (struct cam_isp_in_port_info *)

		((uint8_t *)&acquire_hw_info->data +

		 acquire_hw_info->input_info_offset);



	/* acquire HW resources */

	for (i = 0; i < acquire_hw_info->num_inputs; i++) {



		if (in_port->num_out_res > CAM_IFE_HW_OUT_RES_MAX) {

			CAM_ERR(CAM_ISP, "too many output res %d",

		if ((in_port->num_out_res > CAM_IFE_HW_OUT_RES_MAX) ||

			(in_port->num_out_res <= 0)) {

			CAM_ERR(CAM_ISP, "Invalid num output res %u",

				in_port->num_out_res);

			rc = -EINVAL;

			goto free_res;
@@ -2010,6 +2019,7 @@ static int cam_ife_mgr_acquire_hw(void *hw_mgr_priv, void *acquire_hw_args) 
	return 0;

free_res:

	cam_ife_hw_mgr_release_hw_for_ctx(ife_ctx);

free_cdm:

	cam_cdm_release(ife_ctx->cdm_handle);

free_ctx:

	cam_ife_hw_mgr_put_ctx(&ife_hw_mgr->free_ctx_list, &ife_ctx);