Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e86478fe authored by Krishnankutty Kolathappilly's avatar Krishnankutty Kolathappilly
Browse files

cpp: Add error handling for invalid frame length in cpp frame info 



There will be overflow if message length in cpp frame info is big value.
Add error check to prevent integer overflow.

Change-Id: I869adf87dfbd18f4182571e1b4eb17e7a130e15c
Signed-off-by: default avatarKrishnankutty Kolathappilly <kkolat@codeaurora.org>
parent 2d3171d7

drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c

+7 −0
Original line number Diff line number Diff line
@@ -2329,6 +2329,13 @@ static struct msm_cpp_frame_info_t *get_64bit_cpp_frame_from_compat( 
	/* Convert the 32 bit pointer to 64 bit pointer */

	new_frame->cookie = compat_ptr(new_frame32->cookie);

	cpp_cmd_msg_64bit = compat_ptr(new_frame32->cpp_cmd_msg);

	if ((new_frame->msg_len == 0) ||

		(new_frame->msg_len > MSM_CPP_MAX_FRAME_LENGTH)) {

		pr_err("%s:%d: Invalid frame len:%d\n", __func__,

			__LINE__, new_frame->msg_len);

		goto strip_err;

	}



	cpp_frame_msg = kzalloc(sizeof(uint32_t)*new_frame->msg_len,

		GFP_KERNEL);

	if (!cpp_frame_msg) {