Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 64cffd64 authored by Lakshmi Narayana Kalavala's avatar Lakshmi Narayana Kalavala
Browse files

msm: camera: Handle array out of bounds in isp 



This change handles the possible array out of bounds in
isp driver.

Change-Id: Ifeda6218997895f6e02286da314002d1d8f8e6f2
Signed-off-by: default avatarLakshmi Narayana Kalavala <lkalaval@codeaurora.org>
parent c30e0fc0

drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c

+27 −7
Original line number Diff line number Diff line
@@ -875,9 +875,13 @@ static int msm_isp_cfg_ping_pong_address(struct vfe_device *vfe_dev, 
	}



	bufq_handle = stream_info->bufq_handle;



	if (SRC_TO_INTF(stream_info->stream_src) < VFE_SRC_MAX)

		rc = vfe_dev->buf_mgr->ops->get_buf(vfe_dev->buf_mgr,

				vfe_dev->pdev->id, bufq_handle, &buf);

	else {

		pr_err("%s: Invalid stream index\n", __func__);

		rc = -1;

	}



	if (rc < 0) {

		vfe_dev->error_info.stream_framedrop_count[stream_idx]++;
@@ -913,11 +917,21 @@ static void msm_isp_process_done_buf(struct vfe_device *vfe_dev, 
	struct msm_isp_event_data buf_event;

	struct timeval *time_stamp;

	uint32_t stream_idx = HANDLE_TO_IDX(stream_info->stream_handle);

	uint32_t frame_id = vfe_dev->axi_data.

		src_info[SRC_TO_INTF(stream_info->stream_src)].frame_id;

	uint32_t frame_id;

	uint32_t buf_src;

	memset(&buf_event, 0, sizeof(buf_event));



	if (SRC_TO_INTF(stream_info->stream_src) < VFE_SRC_MAX)

		frame_id = vfe_dev->axi_data.

			src_info[SRC_TO_INTF(stream_info->stream_src)].frame_id;

	else {

		pr_err("%s: Invalid stream index, put buf back to vb2 queue\n",

			__func__);

		vfe_dev->buf_mgr->ops->put_buf(vfe_dev->buf_mgr,

			buf->bufq_handle, buf->buf_idx);

		return;

	}



	if (buf && ts) {

		if (vfe_dev->vt_enable)

			time_stamp = &ts->vt_time;
@@ -1216,8 +1230,14 @@ static int msm_isp_start_axi_stream(struct vfe_device *vfe_dev, 
		}

		stream_info = &axi_data->stream_info[

			HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])];



		if (SRC_TO_INTF(stream_info->stream_src) < VFE_SRC_MAX)

			src_state = axi_data->src_info[

				SRC_TO_INTF(stream_info->stream_src)].active;

		else {

			pr_err("%s: invalid src info index\n", __func__);

			return -EINVAL;

		}



		msm_isp_calculate_bandwidth(axi_data, stream_info);

		msm_isp_reset_framedrop(vfe_dev, stream_info);

drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c

+7 −7
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ 
#include <linux/io.h>

#include <linux/atomic.h>

#include <media/v4l2-subdev.h>

#include <media/msmb_isp.h>

#include "msm_isp_util.h"

#include "msm_isp_stats_util.h"
@@ -24,24 +25,23 @@ static int msm_isp_stats_cfg_ping_pong_address(struct vfe_device *vfe_dev, 
	uint32_t pingpong_bit = 0;

	uint32_t bufq_handle = stream_info->bufq_handle;

	uint32_t stats_pingpong_offset;

	uint32_t stats_idx = STATS_IDX(stream_info->stream_handle);



	if (STATS_IDX(stream_info->stream_handle) >=

			vfe_dev->hw_info->stats_hw_info->num_stats_type) {

		pr_err("%s Invalid stats index %d", __func__,

				STATS_IDX(stream_info->stream_handle));

	if (stats_idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type ||

		stats_idx > MSM_ISP_STATS_MAX) {

		pr_err("%s Invalid stats index %d", __func__, stats_idx);

		return -EINVAL;

	}



	stats_pingpong_offset =

		vfe_dev->hw_info->stats_hw_info->stats_ping_pong_offset[

		STATS_IDX(stream_info->stream_handle)];

		stats_idx];



	pingpong_bit = (~(pingpong_status >> stats_pingpong_offset) & 0x1);

	rc = vfe_dev->buf_mgr->ops->get_buf(vfe_dev->buf_mgr,

			vfe_dev->pdev->id, bufq_handle, &buf);

	if (rc < 0) {

		vfe_dev->error_info.stats_framedrop_count[

			STATS_IDX(stream_info->stream_handle)]++;

		vfe_dev->error_info.stats_framedrop_count[stats_idx]++;

		return rc;

	}