Commit 31e2a2f0 authored Feb 15, 2017 by Senthil Kumar Rajagopal Committed by Gerrit - the friendly Code Review server Mar 06, 2017

msm: isp: fix for potentitial array out of bound access



There is no bound check on dual_hw_ms_cmd->num_src,
which is coming from userspace
num_src is used as the index for the input_src array
which has a size of 5.
The current code did not check the num_src to make sure
that it never exceeds the input_src array size.

CRs-Fixed: 2006169
Change-Id: If5927e06e70cce4afb0ae9f2cdfec80f76f83771
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>

parent 5720340d

drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -618,6 +618,11 @@ static int msm_isp_set_dual_HW_master_slave_mode(
		}
		ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id,
		dual_hw_ms_cmd->num_src);
		if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) {
		pr_err("%s: Error! Invalid num_src %d\n", __func__,
		dual_hw_ms_cmd->num_src);
		return -EINVAL;
		}
		/* This for loop is for non-primary intf to be marked with Master/Slave
		* in order for frame id sync. But their timestamp is not saved.
		* So no sof_info resource is allocated */