Loading drivers/media/platform/msm/vidc/hfi_response_handler.c +21 −9 Original line number Diff line number Diff line Loading @@ -284,6 +284,12 @@ static int hfi_process_evt_release_buffer_ref(u32 device_id, "hal_process_session_init_done: bad_pkt_size\n"); return -E2BIG; } if (pkt->size < sizeof(struct hfi_msg_event_notify_packet) - sizeof(u32) + sizeof(struct hfi_msg_release_buffer_ref_event_packet)) { dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n", __func__, pkt->size); return -E2BIG; } data = (struct hfi_msg_release_buffer_ref_event_packet *) pkt->rg_ext_event_data; Loading Loading @@ -1546,15 +1552,13 @@ static int hfi_process_session_etb_done(u32 device_id, struct hfi_msg_session_empty_buffer_done_packet *pkt = _pkt; struct msm_vidc_cb_data_done data_done = {0}; struct hfi_picture_type *hfi_picture_type = NULL; u32 is_sync_frame; dprintk(VIDC_DBG, "RECEIVED: SESSION_ETB_DONE[%#x]\n", pkt->session_id); if (!pkt || pkt->size < sizeof(struct hfi_msg_session_empty_buffer_done_packet)) { dprintk(VIDC_ERR, "hal_process_session_etb_done: bad_pkt_size\n"); return -E2BIG; } sizeof(struct hfi_msg_session_empty_buffer_done_packet)) goto bad_packet_size; data_done.device_id = device_id; data_done.session_id = (void *)(uintptr_t)pkt->session_id; Loading @@ -1569,8 +1573,13 @@ static int hfi_process_session_etb_done(u32 device_id, (ion_phys_addr_t)pkt->extra_data_buffer; data_done.input_done.status = hfi_map_err_status(pkt->error_type); hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[0]; if (hfi_picture_type->is_sync_frame) { is_sync_frame = pkt->rgData[0]; if (is_sync_frame == 1) { if (pkt->size < sizeof(struct hfi_msg_session_empty_buffer_done_packet) + sizeof(struct hfi_picture_type)) goto bad_packet_size; hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[1]; if (hfi_picture_type->picture_type) data_done.input_done.flags = hfi_picture_type->picture_type; Loading @@ -1589,6 +1598,10 @@ static int hfi_process_session_etb_done(u32 device_id, }; return 0; bad_packet_size: dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n", __func__, pkt ? pkt->size : 0); return -E2BIG; } static int hfi_process_session_ftb_done( Loading Loading @@ -1829,8 +1842,7 @@ static int hfi_process_session_rel_buf_done(u32 device_id, cmd_done.session_id = (void *)(uintptr_t)pkt->session_id; cmd_done.status = hfi_map_err_status(pkt->error_type); if (pkt->rg_buffer_info) { cmd_done.data.buffer_info = *(struct hal_buffer_info *)pkt->rg_buffer_info; cmd_done.data.buffer_info.buffer_addr = *pkt->rg_buffer_info; cmd_done.size = sizeof(struct hal_buffer_info); } else { dprintk(VIDC_ERR, "invalid payload in rel_buff_done\n"); Loading drivers/media/platform/msm/vidc/vidc_hfi.h +2 −2 Original line number Diff line number Diff line /* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. /* Copyright (c) 2012-2016,2019 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -662,7 +662,7 @@ struct hfi_msg_session_empty_buffer_done_packet { u32 input_tag; u32 packet_buffer; u32 extra_data_buffer; u32 rgData[0]; u32 rgData[1]; }; struct hfi_msg_session_fill_buffer_done_compressed_packet { Loading drivers/media/platform/msm/vidc/vidc_hfi_helper.h +0 −1 Original line number Diff line number Diff line Loading @@ -703,7 +703,6 @@ struct hfi_bit_depth { }; struct hfi_picture_type { u32 is_sync_frame; u32 picture_type; }; Loading Loading
drivers/media/platform/msm/vidc/hfi_response_handler.c +21 −9 Original line number Diff line number Diff line Loading @@ -284,6 +284,12 @@ static int hfi_process_evt_release_buffer_ref(u32 device_id, "hal_process_session_init_done: bad_pkt_size\n"); return -E2BIG; } if (pkt->size < sizeof(struct hfi_msg_event_notify_packet) - sizeof(u32) + sizeof(struct hfi_msg_release_buffer_ref_event_packet)) { dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n", __func__, pkt->size); return -E2BIG; } data = (struct hfi_msg_release_buffer_ref_event_packet *) pkt->rg_ext_event_data; Loading Loading @@ -1546,15 +1552,13 @@ static int hfi_process_session_etb_done(u32 device_id, struct hfi_msg_session_empty_buffer_done_packet *pkt = _pkt; struct msm_vidc_cb_data_done data_done = {0}; struct hfi_picture_type *hfi_picture_type = NULL; u32 is_sync_frame; dprintk(VIDC_DBG, "RECEIVED: SESSION_ETB_DONE[%#x]\n", pkt->session_id); if (!pkt || pkt->size < sizeof(struct hfi_msg_session_empty_buffer_done_packet)) { dprintk(VIDC_ERR, "hal_process_session_etb_done: bad_pkt_size\n"); return -E2BIG; } sizeof(struct hfi_msg_session_empty_buffer_done_packet)) goto bad_packet_size; data_done.device_id = device_id; data_done.session_id = (void *)(uintptr_t)pkt->session_id; Loading @@ -1569,8 +1573,13 @@ static int hfi_process_session_etb_done(u32 device_id, (ion_phys_addr_t)pkt->extra_data_buffer; data_done.input_done.status = hfi_map_err_status(pkt->error_type); hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[0]; if (hfi_picture_type->is_sync_frame) { is_sync_frame = pkt->rgData[0]; if (is_sync_frame == 1) { if (pkt->size < sizeof(struct hfi_msg_session_empty_buffer_done_packet) + sizeof(struct hfi_picture_type)) goto bad_packet_size; hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[1]; if (hfi_picture_type->picture_type) data_done.input_done.flags = hfi_picture_type->picture_type; Loading @@ -1589,6 +1598,10 @@ static int hfi_process_session_etb_done(u32 device_id, }; return 0; bad_packet_size: dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n", __func__, pkt ? pkt->size : 0); return -E2BIG; } static int hfi_process_session_ftb_done( Loading Loading @@ -1829,8 +1842,7 @@ static int hfi_process_session_rel_buf_done(u32 device_id, cmd_done.session_id = (void *)(uintptr_t)pkt->session_id; cmd_done.status = hfi_map_err_status(pkt->error_type); if (pkt->rg_buffer_info) { cmd_done.data.buffer_info = *(struct hal_buffer_info *)pkt->rg_buffer_info; cmd_done.data.buffer_info.buffer_addr = *pkt->rg_buffer_info; cmd_done.size = sizeof(struct hal_buffer_info); } else { dprintk(VIDC_ERR, "invalid payload in rel_buff_done\n"); Loading
drivers/media/platform/msm/vidc/vidc_hfi.h +2 −2 Original line number Diff line number Diff line /* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. /* Copyright (c) 2012-2016,2019 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -662,7 +662,7 @@ struct hfi_msg_session_empty_buffer_done_packet { u32 input_tag; u32 packet_buffer; u32 extra_data_buffer; u32 rgData[0]; u32 rgData[1]; }; struct hfi_msg_session_fill_buffer_done_compressed_packet { Loading
drivers/media/platform/msm/vidc/vidc_hfi_helper.h +0 −1 Original line number Diff line number Diff line Loading @@ -703,7 +703,6 @@ struct hfi_bit_depth { }; struct hfi_picture_type { u32 is_sync_frame; u32 picture_type; }; Loading
