Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6bbbb5da authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: mdss: Fix integer overflow in cursor validaton"

parents 08b835b7 10e9215b

drivers/video/msm/mdss/mdss_mdp_overlay.c

+11 −8
Original line number Diff line number Diff line
@@ -4687,12 +4687,21 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, 
		start_y = 0;

	}



	if ((img->width > mdata->max_cursor_size) ||

		(img->height > mdata->max_cursor_size) ||

		(img->depth != 32) || (start_x >= xres) ||

		(start_y >= yres)) {

		pr_err("Invalid cursor image coordinates\n");

		ret = -EINVAL;

		goto done;

	}



	roi.w = min(xres - start_x, img->width - roi.x);

	roi.h = min(yres - start_y, img->height - roi.y);



	if ((roi.w > mdata->max_cursor_size) ||

		(roi.h > mdata->max_cursor_size) ||

		(img->depth != 32) || (start_x >= xres) || (start_y >= yres)) {

		(roi.h > mdata->max_cursor_size)) {

		pr_err("Invalid cursor ROI size\n");

		ret = -EINVAL;

		goto done;

	}
@@ -4723,12 +4732,6 @@ static int mdss_mdp_hw_cursor_pipe_update(struct msm_fb_data_type *mfd, 
	req->transp_mask = img->bg_color & ~(0xff << var->transp.offset);



	if (mfd->cursor_buf && (cursor->set & FB_CUR_SETIMAGE)) {

		if (img->width * img->height * 4 > cursor_frame_size) {

			pr_err("cursor image size is too large\n");

			ret = -EINVAL;

			goto done;

		}



		ret = copy_from_user(mfd->cursor_buf, img->data,

				     img->width * img->height * 4);

		if (ret) {