Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 53ebc29a authored by Senthil Kumar Rajagopal's avatar Senthil Kumar Rajagopal Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: isp: fix for out of bound access array 



There is no bound check in stream_cfg_cmd->num_streams,
in functions msm_isp_check_stream_cfg_cmd and
msm_isp_stats_update_cgc_override num_streams is used as
the index for stream_cfg_cmd->stream_handle array which
has a size of 15. Current code did not check the num_streams
to make sure that did not exceed the array size

CRs-Fixed: 2006015

Change-Id: I7f195c764a4e6c12e4f7c680bc3c9aa7b078e625
Signed-off-by: default avatarSenthil Kumar Rajagopal <skrajago@codeaurora.org>
parent a3e227fc

drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c

+13 −0
Original line number Diff line number Diff line
@@ -601,6 +601,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev, 
	int i;

	uint32_t stats_mask = 0, idx;



	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {

		pr_err("%s invalid num_streams %d\n", __func__,

			stream_cfg_cmd->num_streams);

		return -EINVAL;

	}



	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
@@ -671,12 +677,19 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev, 
	uint32_t num_stats_comp_mask = 0;

	struct msm_vfe_stats_stream *stream_info;

	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;



	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {

		pr_err("%s invalid num_streams %d\n", __func__,

			stream_cfg_cmd->num_streams);

		return -EINVAL;

	}

	num_stats_comp_mask =

		vfe_dev->hw_info->stats_hw_info->num_stats_comp_mask;

	rc = vfe_dev->hw_info->vfe_ops.stats_ops.check_streams(

		stats_data->stream_info);

	if (rc < 0)

		return rc;



	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);