Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 70cb59a5 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: mdss: Add input frame sanity check for cursor update"

parents 32e00ce6 b8b8b7a8

drivers/video/msm/mdss/mdss_mdp_overlay.c

+8 −1
Original line number Diff line number Diff line
@@ -3175,6 +3175,7 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, 
	u32 start_y = img->dy;

	u32 left_lm_w = left_lm_w_from_mfd(mfd);

	u32 cursor_frame_size = mdss_mdp_get_cursor_frame_size(mdata);

	u32 input_frame_size = img->width * img->height * 4;



	ret = mutex_lock_interruptible(&mdp5_data->ov_lock);

	if (ret)
@@ -3185,6 +3186,12 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, 
		goto done;

	}



	if (input_frame_size > cursor_frame_size) {

		pr_err("Input frame bigger than max cursor size\n");

		ret = -EINVAL;

		goto done;

	}



	if (!cursor->enable) {

		mdss_mdp_curor_pipe_cleanup(mfd, CURSOR_PIPE_LEFT);

		mdss_mdp_curor_pipe_cleanup(mfd, CURSOR_PIPE_RIGHT);
@@ -3292,7 +3299,7 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, 


	if (mfd->cursor_buf && (cursor->set & FB_CUR_SETIMAGE)) {

		ret = copy_from_user(mfd->cursor_buf, img->data,

				     img->width * img->height * 4);

					input_frame_size);

		if (ret) {

			pr_err("copy_from_user error. rc=%d\n", ret);

			goto done;