Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b8b8b7a8 authored by Jayant Shekhar's avatar Jayant Shekhar Committed by Gerrit - the friendly Code Review server
Browse files

msm: mdss: Add input frame sanity check for cursor update 



There are cases where incoming layers to MDP set as cursors
have size more than maximum cursor size supported by HW.
Add input sanity check in hw cursor update for the same.

Change-Id: Iedcfb565038e883e6b91bb2726fa32648ec96637
Signed-off-by: default avatarJayant Shekhar <jshekhar@codeaurora.org>
parent 16bd12a5

drivers/video/msm/mdss/mdss_mdp_overlay.c

+8 −1
Original line number Diff line number Diff line
@@ -3175,6 +3175,7 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, 
	u32 start_y = img->dy;

	u32 left_lm_w = left_lm_w_from_mfd(mfd);

	u32 cursor_frame_size = mdss_mdp_get_cursor_frame_size(mdata);

	u32 input_frame_size = img->width * img->height * 4;



	ret = mutex_lock_interruptible(&mdp5_data->ov_lock);

	if (ret)
@@ -3185,6 +3186,12 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, 
		goto done;

	}



	if (input_frame_size > cursor_frame_size) {

		pr_err("Input frame bigger than max cursor size\n");

		ret = -EINVAL;

		goto done;

	}



	if (!cursor->enable) {

		mdss_mdp_curor_pipe_cleanup(mfd, CURSOR_PIPE_LEFT);

		mdss_mdp_curor_pipe_cleanup(mfd, CURSOR_PIPE_RIGHT);
@@ -3292,7 +3299,7 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, 


	if (mfd->cursor_buf && (cursor->set & FB_CUR_SETIMAGE)) {

		ret = copy_from_user(mfd->cursor_buf, img->data,

				     img->width * img->height * 4);

					input_frame_size);

		if (ret) {

			pr_err("copy_from_user error. rc=%d\n", ret);

			goto done;