Commit 9fa25bf4 authored Feb 15, 2017 by Senthil Kumar Rajagopal Committed by Gerrit - the friendly Code Review server Feb 28, 2017

msm: isp: fix for potentitial array out of bound access



There is no bound check on dual_hw_ms_cmd->num_src,
which is coming from userspace
num_src is used as the limit for the for loop.
The max num_src can hold is 255 (type uint8_t).
This implies that i can go upto to 254.
However dual_hw_ms_cmd->input_src can only hold 5 bytes.
So, we may acces out of bound array.

CRs-Fixed: 2006169

Change-Id: If5927e06e70cce4afb0ae9f2cdfec80f76f83771
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>

parent 10a55a58

drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -630,6 +630,13 @@ static int msm_isp_set_dual_HW_master_slave_mode(
		}
		ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id,
		dual_hw_ms_cmd->num_src);
		if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) {
		pr_err("%s: Error! Invalid num_src %d\n", __func__,
		dual_hw_ms_cmd->num_src);
		spin_unlock_irqrestore(&vfe_dev->common_data->
		common_dev_data_lock, flags);
		return -EINVAL;
		}
		/* This for loop is for non-primary intf to be marked with Master/Slave
		* in order for frame id sync. But their timestamp is not saved.
		* So no sof_info resource is allocated */