Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dc729ca2 authored by Priyanka Gujjula's avatar Priyanka Gujjula Committed by Gerrit - the friendly Code Review server
Browse files

msm: vidc: Ensure size of the data available before typecasting 



Ensure the available data size with in the packet before type
casting from smaller data type to larger data type in order
to avoid information leak or packet out of boundary access.

Change-Id: I8614a8b3f930c87af8aa49f77ea9d768a73ea203
Signed-off-by: default avatarPriyanka Gujjula <pgujjula@codeaurora.org>
parent ecb87a9e

drivers/media/platform/msm/vidc/hfi_response_handler.c

+21 −9
Original line number Diff line number Diff line
@@ -284,6 +284,12 @@ static int hfi_process_evt_release_buffer_ref(u32 device_id, 
				"hal_process_session_init_done: bad_pkt_size\n");

		return -E2BIG;

	}

	if (pkt->size < sizeof(struct hfi_msg_event_notify_packet) - sizeof(u32)

		+ sizeof(struct hfi_msg_release_buffer_ref_event_packet)) {

		dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n",

			__func__, pkt->size);

		return -E2BIG;

	}



	data = (struct hfi_msg_release_buffer_ref_event_packet *)

				pkt->rg_ext_event_data;
@@ -1546,15 +1552,13 @@ static int hfi_process_session_etb_done(u32 device_id, 
	struct hfi_msg_session_empty_buffer_done_packet *pkt = _pkt;

	struct msm_vidc_cb_data_done data_done = {0};

	struct hfi_picture_type *hfi_picture_type = NULL;

	u32 is_sync_frame;



	dprintk(VIDC_DBG, "RECEIVED: SESSION_ETB_DONE[%#x]\n", pkt->session_id);



	if (!pkt || pkt->size <

		sizeof(struct hfi_msg_session_empty_buffer_done_packet)) {

		dprintk(VIDC_ERR,

				"hal_process_session_etb_done: bad_pkt_size\n");

		return -E2BIG;

	}

		sizeof(struct hfi_msg_session_empty_buffer_done_packet))

		goto bad_packet_size;



	data_done.device_id = device_id;

	data_done.session_id = (void *)(uintptr_t)pkt->session_id;
@@ -1569,8 +1573,13 @@ static int hfi_process_session_etb_done(u32 device_id, 
		(ion_phys_addr_t)pkt->extra_data_buffer;

	data_done.input_done.status =

		hfi_map_err_status(pkt->error_type);

	hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[0];

	if (hfi_picture_type->is_sync_frame) {

	is_sync_frame = pkt->rgData[0];

	if (is_sync_frame == 1) {

		if (pkt->size <

			sizeof(struct hfi_msg_session_empty_buffer_done_packet)

			+ sizeof(struct hfi_picture_type))

			goto bad_packet_size;

		hfi_picture_type = (struct hfi_picture_type *)&pkt->rgData[1];

		if (hfi_picture_type->picture_type)

			data_done.input_done.flags =

				hfi_picture_type->picture_type;
@@ -1589,6 +1598,10 @@ static int hfi_process_session_etb_done(u32 device_id, 
	};



	return 0;

bad_packet_size:

	dprintk(VIDC_ERR, "%s: bad_pkt_size: %d\n",

		__func__, pkt ? pkt->size : 0);

	return -E2BIG;

}



static int hfi_process_session_ftb_done(
@@ -1829,8 +1842,7 @@ static int hfi_process_session_rel_buf_done(u32 device_id, 
	cmd_done.session_id = (void *)(uintptr_t)pkt->session_id;

	cmd_done.status = hfi_map_err_status(pkt->error_type);

	if (pkt->rg_buffer_info) {

		cmd_done.data.buffer_info =

			*(struct hal_buffer_info *)pkt->rg_buffer_info;

		cmd_done.data.buffer_info.buffer_addr = *pkt->rg_buffer_info;

		cmd_done.size = sizeof(struct hal_buffer_info);

	} else {

		dprintk(VIDC_ERR, "invalid payload in rel_buff_done\n");

drivers/media/platform/msm/vidc/vidc_hfi.h

+2 −2
Original line number Diff line number Diff line 
/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2016,2019 The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -662,7 +662,7 @@ struct hfi_msg_session_empty_buffer_done_packet { 
	u32 input_tag;

	u32 packet_buffer;

	u32 extra_data_buffer;

	u32 rgData[0];

	u32 rgData[1];

};



struct hfi_msg_session_fill_buffer_done_compressed_packet {

drivers/media/platform/msm/vidc/vidc_hfi_helper.h

+0 −1
Original line number Diff line number Diff line
@@ -703,7 +703,6 @@ struct hfi_bit_depth { 
};



struct hfi_picture_type {

	u32 is_sync_frame;

	u32 picture_type;

};