msm:camera:isp: fix array index bound checks

		return -EINVAL;

	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])

		> MAX_NUM_STREAM) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=

			MAX_NUM_STREAM) {

			return -EINVAL;

		}

		stream_info = &axi_data->stream_info[

		&vfe_dev->axi_data, stream_cfg_cmd);

	if (rc) {

		pr_err("%s: Request validation failed\n", __func__);

		if (HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle) <

			MAX_NUM_STREAM)

			msm_isp_axi_destroy_stream(&vfe_dev->axi_data,

			      HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle));

		return rc;

	int rc = 0, i;

	struct msm_vfe_axi_stream_release_cmd *stream_release_cmd = arg;

	struct msm_vfe_axi_shared_data *axi_data = &vfe_dev->axi_data;

	struct msm_vfe_axi_stream *stream_info =

		&axi_data->stream_info[

		HANDLE_TO_IDX(stream_release_cmd->stream_handle)];

	struct msm_vfe_axi_stream *stream_info;

	struct msm_vfe_axi_stream_cfg_cmd stream_cfg;

	if (HANDLE_TO_IDX(stream_release_cmd->stream_handle) >=

		MAX_NUM_STREAM) {

		pr_err("%s: Invalid stream handle\n", __func__);

		return -EINVAL;

	}

	stream_info = &axi_data->stream_info[

		HANDLE_TO_IDX(stream_release_cmd->stream_handle)];

	if (stream_info->state == AVALIABLE) {

		pr_err("%s: Stream already released\n", __func__);

		return -EINVAL;

	uint8_t drop_frame = 0;

	memset(&buf_event, 0, sizeof(buf_event));

	if (stream_idx >= MAX_NUM_STREAM) {

		pr_err("%s: Invalid stream_idx", __func__);

		return;

	}

	frame_id = vfe_dev->axi_data.

		src_info[SRC_TO_INTF(stream_info->stream_src)].frame_id;

		return;

	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])

		> MAX_NUM_STREAM) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=

			MAX_NUM_STREAM) {

			return;

		}

		stream_info =

		return -EINVAL;

	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])

		> MAX_NUM_STREAM) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=

				MAX_NUM_STREAM) {

			return -EINVAL;

		}

		stream_info = &axi_data->stream_info[

		return -EINVAL;

	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])

		> MAX_NUM_STREAM) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=

			MAX_NUM_STREAM) {

			return -EINVAL;

		}

		stream_info = &axi_data->stream_info[

		return -EINVAL;

	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])

		> MAX_NUM_STREAM) {

		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=

			MAX_NUM_STREAM) {

			return -EINVAL;

		}

		stream_info = &axi_data->stream_info[

	for (i = 0; i < update_cmd->num_streams; i++) {

		update_info = &update_cmd->update_info[i];

		/*check array reference bounds*/

		if (HANDLE_TO_IDX(update_info->stream_handle)

		 > MAX_NUM_STREAM) {

		if (HANDLE_TO_IDX(update_info->stream_handle) >=

			MAX_NUM_STREAM) {

			return -EINVAL;

		}

		stream_info = &axi_data->stream_info[

		comp_info = &axi_data->composite_info[i];

		wm_mask &= ~(comp_info->stream_composite_mask);

		if (comp_mask & (1 << i)) {

			if (!comp_info->stream_handle) {

			stream_idx = HANDLE_TO_IDX(comp_info->stream_handle);

			if ((!comp_info->stream_handle) ||

				(stream_idx >= MAX_NUM_STREAM)) {

				pr_err("%s: Invalid handle for composite irq\n",

					__func__);

				continue;

	for (i = 0; i < axi_data->hw_info->num_wm; i++) {

		if (wm_mask & (1 << i)) {

			if (!axi_data->free_wm[i]) {

			stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]);

			if ((!axi_data->free_wm[i]) ||

				(stream_idx >= MAX_NUM_STREAM)) {

				pr_err("%s: Invalid handle for wm irq\n",

					__func__);

				continue;

			}

			stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]);

			stream_info = &axi_data->stream_info[stream_idx];

			ISP_DBG("%s: stream id %x frame id: 0x%x\n", __func__,

				stream_info->stream_id, stream_info->frame_id);