Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 21857860 authored by Surajit Podder's avatar Surajit Podder Committed by Gerrit - the friendly Code Review server
Browse files

msm: vidc: Fix possible out of bound array access 



Fix possible out of bound array access by
putting bounds check in __map_and_update_binfo.
Use u32 to access array to simplify bounds check.

Change-Id: I127fdc76fc273c0bcca727e9264a1d0f208dac1b
Signed-off-by: default avatarSurajit Podder <spodder@codeaurora.org>
parent d0d9cb93

drivers/media/platform/msm/vidc/msm_vidc.c

+13 −4
Original line number Diff line number Diff line
@@ -533,11 +533,18 @@ static inline void save_v4l2_buffer(struct v4l2_buffer *b, 


static int __map_and_update_binfo(struct msm_vidc_inst *inst,

					struct buffer_info *binfo,

					struct v4l2_buffer *b, int i)

					struct v4l2_buffer *b, u32 i)

{

	int rc = 0;

	struct msm_smem *same_fd_handle = NULL;



	if (i >= VIDEO_MAX_PLANES) {

		dprintk(VIDC_ERR, "Num planes exceeds max: %d, %d\n",

			i, VIDEO_MAX_PLANES);

		rc = -EINVAL;

		goto exit;

	}



	same_fd_handle = get_same_fd_buffer(

			inst, b->m.planes[i].reserved[0]);
@@ -558,6 +565,7 @@ static int __map_and_update_binfo(struct msm_vidc_inst *inst, 
		b->m.planes[i].m.userptr = binfo->device_addr[i];

	}



exit:

	return rc;

}
@@ -565,7 +573,8 @@ static int __handle_fw_referenced_buffers(struct msm_vidc_inst *inst, 
					struct buffer_info *binfo,

					struct v4l2_buffer *b)

{

	int i = 0, rc = 0;

	int rc = 0;

	u32 i = 0;



	if (EXTRADATA_IDX(b->length)) {

		i = EXTRADATA_IDX(b->length);
@@ -583,8 +592,8 @@ int map_and_register_buf(struct msm_vidc_inst *inst, struct v4l2_buffer *b) 
{

	struct buffer_info *binfo = NULL;

	struct buffer_info *temp = NULL, *iterator = NULL;

	int plane = 0;

	int i = 0, rc = 0;

	int plane = 0, rc = 0;

	u32 i = 0;



	if (!b || !inst) {

		dprintk(VIDC_ERR, "%s: invalid input\n", __func__);